Malware Analysis Report

2025-01-22 19:57

Sample ID 241016-wkqkxatbmd
Target 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock
SHA256 757e139e9d70d76499da424b9a2897ac4d4159b1cdf51a93ffaf1c21c015e3b5
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

757e139e9d70d76499da424b9a2897ac4d4159b1cdf51a93ffaf1c21c015e3b5

Threat Level: Known bad

The file 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (81) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:59

Reported

2024-10-16 18:01

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\ProgramData\rOIMsQgs\zWIMoMgY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZwQoIEww.exe = "C:\\Users\\Admin\\zEQwwUAo\\ZwQoIEww.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zWIMoMgY.exe = "C:\\ProgramData\\rOIMsQgs\\zWIMoMgY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZwQoIEww.exe = "C:\\Users\\Admin\\zEQwwUAo\\ZwQoIEww.exe" C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zWIMoMgY.exe = "C:\\ProgramData\\rOIMsQgs\\zWIMoMgY.exe" C:\ProgramData\rOIMsQgs\zWIMoMgY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A
N/A N/A C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe
PID 756 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe
PID 756 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe
PID 756 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe
PID 756 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\rOIMsQgs\zWIMoMgY.exe
PID 756 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\rOIMsQgs\zWIMoMgY.exe
PID 756 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\rOIMsQgs\zWIMoMgY.exe
PID 756 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\rOIMsQgs\zWIMoMgY.exe
PID 756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2552 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2552 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2552 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 756 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2668 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2488 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2488 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2488 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2668 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"

C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe

"C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe"

C:\ProgramData\rOIMsQgs\zWIMoMgY.exe

"C:\ProgramData\rOIMsQgs\zWIMoMgY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAwEgoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMkUkEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoAsIMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIIoEwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qukgMMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAIIIkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwYEYQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WoAYksgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMgkooEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pawEMAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCIAooAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuooEkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kaYkYMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeYwQEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eegcsYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUQgsAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fmkAQsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FssQAIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQYYwkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqMgksUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQMEcwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIEgwwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\guowMUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUgAwUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EUQsAEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQYIYwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FkoIkAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsokcUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TugAsEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUgwQEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKIcEcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECQQogYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogcIIEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGQIwYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaEcEsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-25389591-166182101-5888521595140365781026546650-927464099-1448805281-270091332"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYskQwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqogAwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-776986413-1901274731-11102913172031443685-50571116221298935016249431-1235074484"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMooMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aCYIMgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1101437673663777712-2112038438-124134391780435557-405375235867139969577315229"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwEEMoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkcsAkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROYQscsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWwcEMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkUcMMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqgsIIgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMEQsAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICccYYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmsQQQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWgsYMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\reQIIoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaYcgYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\loYgkkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOwQMYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUggYEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcwMQIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSwIIEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCoQoMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAcgkMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jsAMIEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGMQMYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rSQwosMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pKIIYMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dikUUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgQsIUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AysEccIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EQMkkwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIcQssYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkwoMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\viEwsgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQUEEoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWEQcQsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWMwwUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOQcwEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/756-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/756-5-0x0000000000320000-0x000000000033D000-memory.dmp

\Users\Admin\zEQwwUAo\ZwQoIEww.exe

MD5 a3afc9558abd0380b405dee9fb543133
SHA1 adee788b2bd7f626a50549160781f3868ef973a0
SHA256 e27e4c34725a09b65a739757b069fab923fdd019eba30262a64bdfe25b1629cb
SHA512 6d454a5498878d2d5b3bf02b382445bd8865ca25be54d35664e660997306907553aa9311efd33b88f871772b73dccb6815fa673f23fe8ef20878c56aa6cb5f2f

\ProgramData\rOIMsQgs\zWIMoMgY.exe

MD5 9f5f375b1bc0045f26d2471dcaa20b03
SHA1 f0905a01a6355544b6500a33d87555e0cc61f3e9
SHA256 49cd296ed30914edd7dce32ca30016f8df4168a8d390d4c936ae61f6e71ca331
SHA512 7a9d2e54308ff7452ce05bce56ab4e4ccb6e7a32a155cad1ffcdd82da8fed8d88d7380df675a705d7947f9baa15a91abf154a15ddda7ff892cb2ce8dca179496

memory/3036-29-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYsIwAgo.bat

MD5 d88e2857857d0d1ea3a5deaaf970bfb6
SHA1 2def6871e3593b2fbf0eadf98e9f2d27b3feda94
SHA256 749699756be6d64aee846d55b3c7b5798d41262044e728904574ca5ba5353ecb
SHA512 ffbc3eb838d925d906a9040b6bb3e1f0497e40efe745c641df65fe04b9fbb4059569cf94c74ec1a12d8323e5d4cf5bd4f85f3cf7164cdcf8bb3bc69ee583399c

memory/756-28-0x0000000000320000-0x000000000033D000-memory.dmp

memory/2552-30-0x0000000000420000-0x000000000043F000-memory.dmp

memory/2552-31-0x0000000000420000-0x000000000043F000-memory.dmp

memory/2668-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/756-41-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jAwEgoos.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

MD5 88fdf033287a0bbe808f238d33ee612f
SHA1 83707d74209a0bb1db0c4f1f195386e1893a94aa
SHA256 e2db76506487923da33011355eae311c48edd74fcf1347cd968266de86ad9e1c
SHA512 95e192483a9279b0a92d0aa00e742c0d48d5d621ad63fb6e7c107c189f43d29c4d7713e98c237a782e595a0db662d42c9315c69452a3482c50e62300a2448f93

C:\Users\Admin\AppData\Local\Temp\ZOYUwkAU.bat

MD5 31019a91b34a9a90d11b7c302e026041
SHA1 812891f675adc21640bb65f8650c051db25cbfd3
SHA256 c715a7349931da2e9fa17ac0c598b7975cb28fa2ffbbb4bc2e5cc0cd6133fab0
SHA512 03d400e136f75b6c9edfd9a89e348270bd7cbcf76ba2068edb12d384c315462668a01b11f53825558a0b78f8dcecb5423a803b341b14d38436dad244600e83d9

memory/2488-54-0x00000000004F0000-0x000000000050F000-memory.dmp

memory/2440-55-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2668-64-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tAEogsAA.bat

MD5 1cba759d62b6c300f0cb2c2903cf3b70
SHA1 4e6a6a168fb0d3c08d8a646d5082bb1c68692082
SHA256 c5c939ac89daff09c4dae74452cc644e13c5b5439025c0ef4f1f163e0722973d
SHA512 bfee182f11f5f0c5054be6f617fe2bf287fbcd6be830ae24c08072fdf87bf702ecf0f802e6c516b5bbccfcbe2ee3724dffb42bc36e27b0c6bbc9a2ddd566b4e9

memory/2440-85-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QmoUMksE.bat

MD5 248c813b85199a38103eef7750823206
SHA1 e0c9d4d321ea450d9c9c04d1ee55d428846e6000
SHA256 d77f71bb00055a413e0fb2728583c7e89e2172cc07f97629f3c82620f3e6861b
SHA512 7fa50837162a47183287d98d7758dbed3e9ff505883e5046c6a5c15f9d03763a4f035b8022b75f95e360fe17e7ec164d771ce87f6aa995871f52620f15ec9fdf

memory/1624-106-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omgkMccA.bat

MD5 3b2483a35fc831de4e73023a8546be6a
SHA1 1ad16a9b72eb655f66a5f6cc201025d4a9de88e6
SHA256 54c5660704ebdbb228db8a4d7bf3c11f18e85031706329582002ab8a42b124d3
SHA512 fcc5893d98f84ed14eebd3ed48f0b7cd0eb0c4dd04910a9072c30cd32bcf7e0cd5644d0c1469dbca5fee5beb61b35a0e2d2b6c3847060007fdc7437fdfbd96c6

memory/1928-119-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1928-120-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1768-129-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QMAkkYow.bat

MD5 cebbcff5ad2f9a73df7ee41c19d52db7
SHA1 c5a891e486f4d9657095ec948dfc2721cd2018f6
SHA256 262f5efcaa74b569b75ad027bb8935109b5e197f6825eb74c57594dcf53790a4
SHA512 83256778e5be68181e72c23d3293592523d6f1b9b43708800674f636a8f36c21c5203ff4a27193f0445cc54428371e262c91cd76181d46d28ff90f36116e81df

memory/352-142-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/2156-143-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1348-152-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWAMsIAs.bat

MD5 f1ddd0326db5b08cbf5ddf5368477684
SHA1 6d8c3e7c21c088b68af5263d5bfe89ad7048edf9
SHA256 4dfd8ba36f88fbded43bae5e6c118ddc8874a883cbba864ead2003ddb1bdaaf2
SHA512 ae6c696e724caff48b9c6bda5f8e52adb58c2c1262a60321582ef9f6068f47eeb51c9211011108880d45561e5721a4b365625ad4f0c4b5b87956cdc5f08c3923

memory/2584-165-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2328-166-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2156-175-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMAUgMgM.bat

MD5 b9a74db8bb5c2b7d3d6073050fb6b0f2
SHA1 da42d14a94cc24b6b289aed52f25e1b59001558d
SHA256 466988cb1b10019573606a53451a16b36d7a6066ac51d262d1fea02a6f056f4a
SHA512 fc79aa89405a0bce56d7940eb5d0b57e1c1cf892d162d973be9e643fcd2602b9c5f045e4e3dbdfcdf80e6187c8f6616844965c31a8aca8bbd1dda8063e7c4988

memory/2972-188-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2328-197-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nWokgwQw.bat

MD5 75b6f3a468a6e08c7cea21357d124929
SHA1 f4ff01e5adf089f64dd4456838eff449299ba47c
SHA256 b5a53d4d942f72f4e79620f3710773af568c64340bae1db5209889bb1ecd2e53
SHA512 c7a75f81a40324cc9382f45315cd8175b0131ac7020642051c44e0f9aed9f3474dea7959c3ca8d36753d6b712ab5cd1322b4686caf065d9e2bea3f73992401f8

memory/1716-210-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1716-211-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1276-212-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1920-221-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZGMUYMwM.bat

MD5 44668c563ce751f787f84d4457cc7d63
SHA1 68fc0c31e71fb7822932e4b0c960af914b39134c
SHA256 5baddde947679fa637ddba2ae635d51406420f0ea81f173dde476672f4420d6d
SHA512 1aba4ff3b18f9b67c6f49b4c6714bca16772a408532882d2c189c754e44129c9d72da6daf1a6f926c7e604ab14e6aaf6c1f9a0b3d2febf9720787a5870b36338

memory/1732-235-0x0000000000400000-0x000000000041F000-memory.dmp

memory/988-234-0x0000000000170000-0x000000000018F000-memory.dmp

memory/1276-244-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tykQcIsg.bat

MD5 6da2f5ea54d635f2d248bec0a536c9f2
SHA1 4a223730c3ee39e20ccd771e7475dbecf4d918d9
SHA256 d0c5f7f1cea1d41e767950a7e50d0016ff43b8577a09982217d2cb2b648344ce
SHA512 be5c0dd21d262f7faee1a18ff5bad35e61cfe965a46b536f4f6b2689d90c7a6bf385ce861049ac4cce552c88128916554fbe55b84c869544054b5835ac30f764

memory/1732-265-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DIwYEoEg.bat

MD5 82caad3672a4657fb62821d54ed32844
SHA1 a9a1f6dabdcb2e0a36518b1533e833dd6aea08fa
SHA256 c5e26928988ba1665e0edcbf11d3b3f71380d6c8c52ea8c05c89f27e731e6e5b
SHA512 3d4cfa903f41c26abae0c17afec7284c13669bddf83f7e76fc8f20b56f3748a38e64abdfc384b820998378c03e8c6aeee99aa4ad6e9d0738eebad74378572d26

memory/1484-278-0x0000000000170000-0x000000000018F000-memory.dmp

memory/448-287-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMYcsMcg.bat

MD5 7ecb4b071577c0cd0e1de55c93887ad4
SHA1 1955c80738c31dec9c97b8af6660241b5566cd79
SHA256 562675749bf6560a79540f4dc9a40dd83b8c137339b9da7a99875077b0cc1b3b
SHA512 ba5ddf11c59c179550a5f57834e783203588bf0e1c8c2b455a6c8ddd72d4e612ed4576b7b4a575555de59b3eda281ec929c81b1afaab37a7ec0057843031854b

memory/1616-301-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/1616-300-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/1460-310-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SGskMQoo.bat

MD5 13e5025cb202836179508262cf5d1c3b
SHA1 0097bac912d384b399f49ca9f59336db609c296f
SHA256 a23fbb7da133c7941ffc7fd99c22a7a48dd14af9e896e487c91d92b785bf1b08
SHA512 2d08f9479a938ed85bb848ee4737fa89cf1c4cc7fbe0e288ced4dc56f5b8c9a23f251e795d2aac59f0410eacb4ab721be189b54ee0c5d396d61d8592bbc7c19f

memory/2344-323-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/608-324-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2704-333-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YKUggAIM.bat

MD5 ef6c0477492db920c8c8f37a1660ac4f
SHA1 7378d44ac4473fbca117a3a84003b4b99e19dde7
SHA256 0115b4161d760be5fe8af52e7c9df170b3a99630b46eae9b2ec08a9d0f9381ba
SHA512 70d8884cd585866548ebf4d9653274a090ac1cf8a69c26a73e037ab86b55490bfcf7fb3ade94af1e2337fea8236656e6b71b5294323fb847dbbd721aac7e4e03

memory/2244-346-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/608-355-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WCQoQYcA.bat

MD5 6081a561a0f14397ffb302e803897a0c
SHA1 07b37f613049ecf2d88144a1e5bb4e67c535b5e1
SHA256 30c020bdfe0aed7e5282dcc3b6a14e47beaab42c00fe3ff27d280733e5a99d95
SHA512 5a92599c55f13b73ea2ca82e81ed360854032bde80e766d7d715307ab7856bc2817aede4b7c31243f534493fffb6d0f1601c8a56018154f6085e15e7008b380f

memory/1400-368-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/808-370-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1400-369-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/2780-379-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RKMEcQUc.bat

MD5 ceb08994e80ad303798fbbf5a0617d5d
SHA1 1ee7956af66caa38e75f1d58714fc819c31b284f
SHA256 a24a8f4bb16a10405102f7e105f4ce888d8eec81d4172452c415ab2332a63c90
SHA512 a1494e92ae8a29b26cea5221c1e662855da8d3b662643294759dfa2c5308b1dca6bea843beb0440e9719bb87de051cc4eab114fd8d215bda4209e0ce91e0c800

memory/580-393-0x0000000000400000-0x000000000041F000-memory.dmp

memory/820-392-0x0000000002230000-0x000000000224F000-memory.dmp

memory/808-402-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JKUcUMYQ.bat

MD5 8d4ebfc11a9db9389851711b387cee5f
SHA1 77ffc40f9f04f121fcdc21414e6aaf01d3b144c4
SHA256 dac65278bd36c4ca8a1e0d1fff1a83dea4a53e7c464797d270038adc76c0f4e9
SHA512 15e982eeb5cab22d3452d51d69e5a0cb4b33756b30617971ba50f07eb9487d9738578192fc1ac12b8ba405657d480051fcdf2085e0d125d7c6f90df7471f79a0

memory/1692-415-0x00000000000F0000-0x000000000010F000-memory.dmp

memory/580-424-0x0000000000400000-0x000000000041F000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\wswc.exe

MD5 ba11c1e32cfcfed336d39f562b9cc3f7
SHA1 75e478f64d14118fed51e2ca5a7348c45eeb64a8
SHA256 e8504bb9b4584ef0871c12b23d0465230c811dddc9578a891094cb784a1ffb76
SHA512 418f15ff08f6beb10f16563a6e5600602d6fe7febc193d130ca240e031278a94d935d207c867f6ac1568269ed1a33ea3009b709b57e7a21c14af599516e61e0f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\DmIwoUgQ.bat

MD5 f88ab313a5d6f8e64615010e5cb69071
SHA1 6806339b1812b0d948a9805acafff3d0e989a0ac
SHA256 864b0ea4c395ba222185a1e7cc5268d51ff611f6b7cc3bdfd7e71b9f291ec8ec
SHA512 05c8c46e729f68213e45747008324a43f6656611dcf48f9e6017e395d44729d8e640c1d4e3acdfee38af61d991cb8e630328551f1eccdf6d64a1deeffc07e5ba

memory/2140-454-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1560-463-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YcEa.exe

MD5 68e529d1acb2b43264476eb5966696db
SHA1 78d5c1d439b281f4529c616232e267f2c1fb2335
SHA256 2ddd1d59740f42a0ca9c683d6014aa47080248769156a788be92d7f22f7dd4b6
SHA512 768cdd91b9255863ff180a677dd18f7749af03f3ec1fcfacc5dfa78a0de1d56288017ce46306fb27645d2cf8cc7a6c6429bf851d954ab6b60c60415da863c2e3

C:\Users\Admin\AppData\Local\Temp\skos.exe

MD5 959accd86c966891bc24db510681fcff
SHA1 9a2eab10e851f30cf7fbba7c6532ec69ee02c875
SHA256 471769e942fdcd591a45ad9a8361f6688568b2c289234a26e232ede55ddbc9b7
SHA512 01a575e1a046e6ac5ac37a9abbf28e1fa3ac53f77b1a66684eb2654e465c31b0ca149f70c2f0e581e052e236c65d366dc8004f5a71fcab452d349d1d5edada2a

C:\Users\Admin\AppData\Local\Temp\Ukcc.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 1745e5386da4ac4a2522815b79f81e70
SHA1 7012d24fc696704ce25440e21db90a13ca2dfc5a
SHA256 9edf0e7cd9103c5a6b4752c8efc8648f969714e1879977af7d48fcb713cc3174
SHA512 c0f2d25ccda58cd70e3a4ed70f327aeb5325c79ece8a819e25629d3c1be7f54b948b6a874d765fafa646bf02ff4fabc80822a4bfa2634933bbc9227f0e01c36a

C:\Users\Admin\AppData\Local\Temp\rckcAskQ.bat

MD5 a118ed700c4550f721b583698ffa94e6
SHA1 94a1e8dae863df67577eafde9170b89b27e6c0e0
SHA256 1d506e05c48266dcf59a61c248ee11e1de7ca002e7f0b0a5f68f4ca88f9511b4
SHA512 7fb8f57d7aeb2a85e19a9be0afab60cfab45cde4137b6069b702782bbbe509a32c9e755458d76705ec07fd89e5c6355913878e2d7193a0cd8fad68bc33b2c445

memory/1180-526-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1180-525-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEkO.exe

MD5 cbd21f1de876e560d0d0ee60604ed4ff
SHA1 fb0cf30fc200f3fa7f3cec9fbb471ce3d0b19327
SHA256 4e628d9dbf763cd9db12faabf56ddb5d1add58f00fb601b99d09ed4ff21284f8
SHA512 98efcb8000080fbbe40f609116c15eb31b7516d09e632db5db89e185e22e1a508bcd0a9d303afe24f5bc7ae7e9c153900f4aea07d11c011c2ee809e92673700c

C:\Users\Admin\AppData\Local\Temp\Oogu.exe

MD5 05ad6579d3907b1749f78dd20bd47fe3
SHA1 44f51bd72deba55a79db4954ade5dde166582204
SHA256 df4812c867174786eb41532c7c6d385a12e1e5b5c5bed400ceed688ca5afbeff
SHA512 1790547b860e9b9c99dad609780f0b1d5d5252ff64d72fd32124a8879758474fbc89f21b620cd63c930381face9e3a39ac03cd3a35baa5685562517b9f367ecb

memory/2848-548-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WckI.exe

MD5 6b943b388fabfa2b29b1f1560c557878
SHA1 58fa1edd047cf60af59ac8b4b23c5e05a0ada3c0
SHA256 379696e5a9bea5bad3cfc8c8bf484b8e21425d37e7ffbd549cca8589e7abb113
SHA512 81066f76c80e38812c8685a8b9766d61993910e0a8b35eb5a21793351303d8abc299cc81370ba66e931b9951f089a5b2529066a6e389127eaf4a8327a50669e4

C:\Users\Admin\AppData\Local\Temp\AYMK.exe

MD5 07eb10eece6d1e520d53d8b5808a8b44
SHA1 a9b70ce985a01b90996967752c237ec5f5b0634c
SHA256 12c24d987956f0f89319311545913fcbffef61b657f78ec10253bcc84fffcc9d
SHA512 3112a86605fadec1e7d4fcc21076a88bb447187f010331d8d3e892ee4b0965fe609fadae4d916cc33a169d00a9d9170d04b2175e30aea7a98f1de4c072d8c624

C:\Users\Admin\AppData\Local\Temp\OYEO.exe

MD5 9475f55b1d0915d0fc7a5ffc3f8803f8
SHA1 bfdb5a129d31544c9aada6d7bcb9c1d486ac791f
SHA256 3a4e6c2a3370c36beb608029d087121ccb651670e4e098b541ab4a9befdf8e8c
SHA512 f9d236745e71108835a7ffe891fcb3ae4455366ec4afc1db98f19d7ef6e2ad12bd619f0e78f90cd3f488096d9dec5d9754d9657ab7d4240d1b651d26db75844a

C:\Users\Admin\AppData\Local\Temp\TwEoIwQU.bat

MD5 be2e340e56546aa706d36a1a186ef65c
SHA1 0e356a3a5f33800d3c6b122cc6967d0c4f92d1b3
SHA256 471226e8d5533558df7645d87f2b1947c619df417efb4b86aef7edab89c05469
SHA512 1ff8ee284d8e0df27f27a61c750f69a6bc192e90a0ec72ee1c3815ee505870cc71a322e8b39e7f165f2de1b2e1f1047f0812ed3f7a5c94d5630a18f3e8680ebe

memory/3060-599-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1600-598-0x0000000000120000-0x000000000013F000-memory.dmp

memory/1600-597-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\McMw.exe

MD5 dee76f3ef9ab5a5a15bf0229235fd506
SHA1 2da1a72398b9b983f234d65bb7090af2cb3826cc
SHA256 31cf6b6c893802d34d098242c9411b4c7c5cc0d93d84fc7de3c3e576e152ef8c
SHA512 8ec7fe1e79fa6964bfbb023948473d34fa453a8e7196326c4f89d01b63d20b0645537b24800a0550d3c4b883434eb99ec7d943e049bf2e9e5bb37e56039ce631

memory/1780-621-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQgO.exe

MD5 687433ba2336f8f3e56b868098a24f9f
SHA1 610eac629f572f1f30f6e2ee3441e5fc0b25244e
SHA256 78035319a88a5969d9df79e1080cd81e84ae2966d1c64028a58f0180d1385148
SHA512 2887fa40bc39491ee5eeb2b601f6f0bbc3124bdeb8fffac1dc6ae097997bc59434d0999cfd79b80504c4fb8a2ef43c39d85d1da14c9fd6cda01e8f981bca2f10

C:\Users\Admin\AppData\Local\Temp\eoEW.exe

MD5 38bec434450e512cfdf5593363250a1b
SHA1 87868696fb6051960cb42ff59bf926cf637ecc2a
SHA256 07f1bf82dbdec8e7cffa39b7d393bc4d91392a534888e617673c996023492459
SHA512 ab9677020e4609395e0d7c17624d76376d80014883fce00a3a6be11905719f27046b3b1909b84be73a2cd6d274d113646bc9ac625fb12d315213d3a61e170946

C:\Users\Admin\AppData\Local\Temp\OmQIwYcw.bat

MD5 f330ef4c576a20cfd30d355180a1d1b8
SHA1 fb4e47d357d2349d1b365240eb702f99e74ba776
SHA256 e158afcd0e6d2bf06590a21c16ef758ddac22c97847d64bf44f3bb8d463d4bb5
SHA512 78ba78e1dee10687f7fd6a8b66e6787860bd602e7013ac88ab54ca075cd57026d113219ddd5095465c48f9e1e315cc882a4b2550dfaedd13c6cf242a46826b8d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 e5d7874f169e0645534f67c9934f9958
SHA1 fd28e92c08231d9c9c051adffdd8ac53073aa29b
SHA256 b15d1d60a2519e14ea13691d3e31134aa42ad56505dde94fce166d421ce54352
SHA512 a3c31498ca1c158b1c08e519c8c5d1ca27b364ee1cb03834183e0f1054e677f1b6a41a750d1bc5619915264ceaa4b3f1882078809ae454535da2b5104b99cb00

memory/880-659-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2160-658-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2160-657-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3060-681-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMYI.exe

MD5 5caabce3c2b1ba797afa3cf4d2d2157e
SHA1 ada5f79a12c0c022ed878e51be3eaed5dd1f1b98
SHA256 30b05ed1536dc15b4c329cf65f6cee869def6f135a93f0fddafead0d396a37c9
SHA512 81d8b45254d1a082cfa44cf9e184fe1e72e5f918b7dca0ccfc431ac7582e110caf17fbde368b4db1dd2b2ca79ea636b9ae2099f5de8b9c6b8b3ab0c7a3c14117

C:\Users\Admin\AppData\Local\Temp\ygwC.exe

MD5 db414c128e8f235a3ad8e4bbd55e6ff4
SHA1 99af537937fd4e46cdc909ab2af68051cb72faaa
SHA256 297e8088b0893cfd462c9315ca4fff2963095648494a8c47391f7dc8ebb8ef26
SHA512 c934f93e66bd031e9f890c9d3c40586ce23fa49650dce4223cfe078648cf77fd8e050a28fe769aa130b81ae268511d36d4f7cdf18bde7d3f9140c5b0c283fe89

C:\Users\Admin\AppData\Local\Temp\CgsAMEAQ.bat

MD5 e7528a9379aa79d899a4c4decf63e551
SHA1 fcfc01daf314434c7c7fb995d721e86b4f1da51f
SHA256 7741b814cf8fcabd390145952f2c6568e8efd4362c94cc476351b80624ae9cb7
SHA512 0fad4a14a278e04b1f4e5e84cdb74d80f983a47426947c95620a19eff4246ca181136526e4b9393edafab2bd32572bde1510c22585832226d76f12ad5e1d4572

memory/2560-719-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2584-718-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2584-717-0x0000000000400000-0x000000000041F000-memory.dmp

memory/880-741-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aYMM.exe

MD5 64fbf14ffebf097fc277b83d800b6960
SHA1 dd0dd09869f6aace73558060460d93f31c32d655
SHA256 65abad658c4fc443331f1e1620114fc6ec9d7396d9f57bd24c0a799d1d3a218e
SHA512 8b5d8792c6196b93a2015858fabec974401faced2755994378517e538ec835a0415a5170fcb37857e2c0e37a6348b5f29e83f091d3d20a71ebe983bc4631edd1

C:\Users\Admin\AppData\Local\Temp\QMoG.exe

MD5 e5588a843d16b75432a7e9ec11000447
SHA1 18feb5b2e0ddfad60ccb015fa6797d8b736b55c2
SHA256 dae65024e8f78fb18c9cfe48cea9671a99e843c7591a79763d7531dfd3a06fea
SHA512 49f5e1df4ddd653317875f004cc865a4ef24c6801669c0212cebec33af3db9befbd12944ed458dd9376b8a13effa50867740a80efccda052c53129891ac9333c

C:\Users\Admin\AppData\Local\Temp\UIAs.exe

MD5 007a54ab5551401da4054aca3e9ede89
SHA1 d2bffbb06b77639ccd88c0ad6a456865a8b85cf8
SHA256 75b6afb3588b7e512cb8bd4c3bd4acc15243a24ae62aec62c9caf4af70b9d3ca
SHA512 011a9c131f390973c4bad63ab2c0b9879260c4c7c105bad313674256c5fae14659672f0472502be612ab47c9c7900efa3a137fb8c6d2c6895b75c55b1a22a645

C:\Users\Admin\AppData\Local\Temp\gAsu.exe

MD5 f475d4159eeed60e5b57ada073f439b0
SHA1 91c29b7933ca87fc1128257fa700be5fa6e7dc37
SHA256 7dfc57a4e0a300ce55bd5c20302856f20bd7f9b48904a3f0757899e573a669fe
SHA512 16b3fcf2f5633a30ffe3dfb3f6cbf02edb887874c95fff2825e93afd109a6049181524178b65867072a32743661a611464dd288a1f8793b744aab803e92bc744

C:\Users\Admin\AppData\Local\Temp\oUsw.exe

MD5 b1a6bdd4bbf96a8f67ce198c169f7b66
SHA1 616b39c5d7b6efa2397e7e8ac4e828449d55a35d
SHA256 25b88a955efc626cd9083c4530b46bc20f374e5399ecb857467acbc188474e82
SHA512 028e545b491c84925f38212145812989acb8913ec301c5bdce7139bc01375f32602dd7fdcd8a4e4a763ae47b6f172d8cfe752f3552707ecc84022a72db993737

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 8cca21ef879397dd67cd8e76b2433061
SHA1 44572532bb6738e6cf3e8872ce9dd7712c94f7e7
SHA256 e6a603e57a633436fb99f1cd69a799c3b0febcb0e1755c92412380be103e1b54
SHA512 31c7cd8a2b66090c04a9fc2ce7bedf25ab98377c9cfa176e909f81bc3d40420e081935365f1b8b2f744371eacf57a221d3f747df19017998a64638badcb7ad79

C:\Users\Admin\AppData\Local\Temp\yUYEgoQA.bat

MD5 b2cbe7bda22003f020cf99ee6fb082f1
SHA1 1915430d44da1fa7af08e1ba14bc352919118a5e
SHA256 c3a08f210e6e67259206c01df600285f62664cd849c42cb8cdbefa04a32cf5e3
SHA512 f55a3773d998695e08b3b6326026acd632543deb6deb96ff558bf91ceb56ddcf4fb9ad7fff17136dd8602a4d35ca75dba04b5220c9dfa4f74a9b723ddc246343

memory/1992-818-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2164-817-0x0000000000120000-0x000000000013F000-memory.dmp

memory/2164-816-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwES.exe

MD5 a478b3da5f867f1ece762670c0898e64
SHA1 a035c421a3bbd6d705af213515fe8072adf10da4
SHA256 e542b1dc457999309a721e4736a0724a6736e426bd0207b3a43c5cf9cfb0c3b7
SHA512 60198ec2cf91384d70365973135127d8360ca59cbdb12bd0bf7c91b1e37114d114b73a8f45a81961c60e360a22b6f360caf57f87ec4a986dccec4cefa07043bc

memory/2560-840-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAQi.exe

MD5 7a0a29c8c8bef4e2b6b020335dbe84c1
SHA1 e7de95566bcca2f682bb3d784d088a57a835d9a2
SHA256 caf7ce684b4dbfa6747054058e32b9ad44c5027f0b3ff370e66ac1152d4708ac
SHA512 93d77002d7549c1270e68f4ac56477b91e654f2f7dd90351236a46af8452146b18176fee2bdd10eb7ade94faf7623d34aa2b89467f7204181958825926ce242e

C:\Users\Admin\AppData\Local\Temp\oEAK.exe

MD5 27caac8b808da9c8fa0ef0d6137ba3d5
SHA1 988d128d7b2f23aff9c3b96adad9bbac5a9ca364
SHA256 7c7263c31b6678959a9dffbef03bbc4398226139395a58f70880c81b3fa18e80
SHA512 8be20fde5986066a835eed639d3798ed1b62f343998088139b7d375c6685273e76e674860c2afd26078c6ab53f0b03df991d106b218eb6b7a0ea8db8bae8edaa

C:\Users\Admin\AppData\Local\Temp\ykUs.exe

MD5 36e7b20219a4d920696adaef297c9500
SHA1 25882742edb3cb8a338fa2579bfcd4b2d9bfd23d
SHA256 ff382a79311029a1462126fd7f862939930e8785ec6de48474166ca710bf0613
SHA512 bdda2a147cee8c0744619d9e8bfe04e197785d16a9d7b7915731522a5ae607b9e51fc3461b020affddc00b3cdbc2e21f70b444c928ed4cc0ee7103e0d1921df0

C:\Users\Admin\AppData\Local\Temp\QUkE.exe

MD5 c12e45eae4d83596efcdeb9b956cff8f
SHA1 668a8c2fe79cd7e458f01325573d5b73c1f18ec6
SHA256 3a1f1aeb8e6f62c6d5af92f35e3ccc0f0eee9bf1ebef3be2517cb98c695339a4
SHA512 a869e2ae8d68dd49831197e3dade80bf50a2c07627963637becc08b620f6c6df8bbb3958700d66f8a44bb4cacd0f301159c0364267592fc9b27dc62eb1ef3998

C:\Users\Admin\AppData\Local\Temp\woEq.exe

MD5 65e739759661b4a387289e6aa469fa71
SHA1 d8b9b32a30bdc6e9bedf29a43b39ce857e27cde4
SHA256 25392dec8dfc8286c3a576b0de66e5cf104a85bd2ec602378d4cd6abaf77025e
SHA512 1e122f55a2f1897fe87efa8e1a7ce61fe33d51adaa327ba15cb08f82c131ef420f3d69b13abc3c0b4d37e4039bcb2fcdf51425ced35a7a9640ff2c6f70b1b60f

C:\Users\Admin\AppData\Local\Temp\msYAAYsM.bat

MD5 d0a78b2fd2585cab0d36cd8b2e6d7d9e
SHA1 23b1063c4fc41820d8f274447123e7e8a2148153
SHA256 c95e55eb71560eea93461276adbfee228dcffff5f2cf83dc6c7940b03cc4f895
SHA512 101b006d9ae0883a944b80de73f84d2d9e9d07104f13aa81583e159de7767f91f55d483687df41039061c237b601d1b80ad8b201e355e9989dedc5ea0429b24a

C:\Users\Admin\AppData\Local\Temp\QIQA.exe

MD5 8dc02de84af3d6298e69b9caa3c401d1
SHA1 f5dcd74bb0ab9b9603e99abe98b59f7987c66428
SHA256 c26da15982cefdaf3442bc6c612fedcfc765bc05ff5386ed42c4161d34189d50
SHA512 d59e9f443f15adf0356064f06c7461756fef48d0ca838b0452ae02351dcf35fc7b2a005cd3a8aaf9acc7565f72c32bfd8af80bfce9759dd0443f45aeb5b1e3d7

memory/1412-928-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1816-929-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WUMo.exe

MD5 ea835d3fe781176007c44016a47dd1f0
SHA1 afd4edc4971aec2f60c7df5e77b79e933a194ff1
SHA256 d8f2df27796c5f15e12447f04fde867d96ec8f5d6d8291753be75c32e1946bfa
SHA512 60881e28f4f067b162ab147e6a7503d2d5e6d92a338d1669e04aced1ff47f0400eb3c49c6e5bc485171e7b73cd7a94c00137732c4f8e577c24416ff06dec63a9

memory/1992-951-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgIM.exe

MD5 ec61ba1cdf0529de93aaaf1942555c89
SHA1 3e6d9a234a89f51a7ef31f730ae06290d57ed998
SHA256 bcfcfb1795bba816217d5698a2b62c3b14c6ce7f0b5184f2ad9a2e7e9edf9daa
SHA512 6dedb01b0be8d3cacc29b94d1df60e53fc80bea6373ee0a6e420e3682584b63de52f73bb544546079553c31be976b80644c5897b7340d61b4312d94ecbd81c31

C:\Users\Admin\AppData\Local\Temp\YEos.exe

MD5 94bd401fbd59dc82ed35013c7e6ce338
SHA1 861270c014cf3f0b4841a4819c9bbb93d942dcf5
SHA256 9097e1814cd00069afe38a57eae03ee207ae6e0658820b38c263c4eb51dd2808
SHA512 894cf0850a7ebb97e2accbefd161083488643d8dde89fcf95ad6ef690929091345038a60f4f746eac6b7127a825d870da16c3a14fd309527c9f1d93f93f227ea

C:\Users\Admin\AppData\Local\Temp\qkkc.exe

MD5 b4c027b7a7acf001ae2681ae9742403d
SHA1 a6a6be2b394fe4e68a417523a2d358e975ea8e88
SHA256 a76bf348c668bf6335839e1302e4c4a200cda55c98d4e3b62b8eee820afae31f
SHA512 372a7210902b5909d57aefc6dd5af6c1b0f2b11d62482dadf38bb90011bd0b6cfcbfd8f9e03c4714ead576e29b83abdef020811e32bdc59d34e1e1d4bd33387a

C:\Users\Admin\AppData\Local\Temp\OiAMYIUY.bat

MD5 3855fa443199d46b4fd5485dcdda915d
SHA1 9361840a6a628787acb741e511a82145b9ce00da
SHA256 d3a0202d7d1c4522962621e1226395db20600c3b56f04f0a5dff22b236a430c6
SHA512 d29e1001fcb554110be34357179bb612dc3bab7ca4bfb5f8830210059a231412d8fbfb3fc8477096b14e3f2c952f8a3438eabcf8753bad5c8ca6c59f8d6e75da

C:\Users\Admin\AppData\Local\Temp\OgMs.exe

MD5 d4a01559f4acb049e188f8e0b25c7cec
SHA1 cefba16b6835b665f3ae4987ea260b14188a36cf
SHA256 7e2c55e046f3557b99d646e94a4768d9faa1f7aad684f998cbbcf8aa3e69a0a5
SHA512 8bc46c71b23b954058ee5fb695e48b0687c4f432e7048265ea1b7dcd130f5970a0e1756f1c6b4baaba8be790e616e3b128e847a3ac77a1d894f5325ff276d0ca

C:\Users\Admin\AppData\Local\Temp\oEoo.exe

MD5 3a2ce2c3d845ff79c427794bc6e52306
SHA1 3b66fd93fa10d4c9d1940af86aa5658bbe2e8478
SHA256 494c1f4841551c8884dcc7d3a3ee8453b083691188b422ef010cc269a4d8be17
SHA512 ac6d7c390f538129573bd168a600a8506180437d4bd619528aad9957edb6d411c7635508b3604d5108aa13904727c2322a00e8c25f81887c0b007c5bce6ae5dd

memory/1696-1026-0x0000000000580000-0x000000000059F000-memory.dmp

memory/1696-1027-0x0000000000580000-0x000000000059F000-memory.dmp

memory/2576-1028-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qkYa.exe

MD5 945434ba6fab32123afbf2084b6a493f
SHA1 596b657cc00c4bfb7dcf5ee93e34cc10ce856ac3
SHA256 898ddd8f500bff2d388a390fa959b908e5bd3160153946ecdecfce7fff3a5a3b
SHA512 f3dc646eec7413309ffbe7ed4d5e8c2a81eded5496484a58f0556b5c1b9137250476308eae55e82c65cc64d1ee41ff95571704f3ef3541542695722f67be3a52

memory/1816-1046-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMAc.exe

MD5 165ca5c90f94d700010eac8dcaab982d
SHA1 77c840210e7080042db47fcb0da011d86f338762
SHA256 a49b01e27bc069929fab0a4f17c18e04350ee3d8c70e4434a3dbf3520a75ee4e
SHA512 6f77c77770501df52d29c3c43cfe8b6497b056d6359a40d6e7d77b2ae31240173049cd0713ad0688efa1df6cf5636a151988a7de7334eb8479990d8217f11c8e

C:\Users\Admin\AppData\Local\Temp\GUMm.exe

MD5 823c951f5c82d1fe4042305411fc7423
SHA1 c2f486e144ec54b53691d082653c7aa2010df3e2
SHA256 2ae37385d868fff3b5722e96a18dd2a31476a67f2fa7d9f5268b740de7c1820f
SHA512 fe725fb10a9a1adf2ef89de39a26511305d7999d54c0361d39e09e5432a5b7196444d5b3972680ea41ccc057232e93eadb9f54baf60eefb4660a3ad95f1338bd

C:\Users\Admin\AppData\Local\Temp\FekckUYU.bat

MD5 ca892ccdb8bc298dfd1f45fdde41ae9e
SHA1 400a6e3e1602c04fec66dc178878815eb256f799
SHA256 159296d7aefbf4281cec95ff7bada934758fe220fab5905a1a1cae7a63144573
SHA512 2839830a11e90a3ca0a67bc51a0f63521b47ac333580389b7581d24fdab61221dd322de3020742575ae68ede98964b70015cf2a03537e55bc8bb78e4199d1ddd

memory/2740-1088-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1868-1087-0x0000000000180000-0x000000000019F000-memory.dmp

memory/1868-1086-0x0000000000180000-0x000000000019F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SIgO.exe

MD5 1a787164f870e5e1b8c72d85f11aaab6
SHA1 d6bf2e969e75d03f83987237333fa08717a88ef6
SHA256 70e4bf84628cbe07d67b343d465c3e83006fee82fdcc86d639839809439425ce
SHA512 498a57a58e7eef6e1c8760af0df28d6f483d403a13e2e6033606cdec0589efc75f6cc5b8e997c7c4acfa16eb3338d8f40f6c3512e6a1a256a53e809f81690a85

C:\Users\Admin\AppData\Local\Temp\OsMY.exe

MD5 ef43c15b5879dbbe411f4f3c70614b04
SHA1 bb075fef5efc6504752840dd72dbc594d0ff3595
SHA256 907ff1ef3f9e8c5486f484c2042c0d5913fb551d934685491254b408bc677f77
SHA512 02aaa567e3db17be6690aace24ffed06293bf5667d70db66379187e79bf263728aa8ed7886ae9968779dd1a856100266690f4dc77620982b1a74a55ac876e01a

memory/2576-1110-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMEQ.exe

MD5 a19ab04abe15671efca0fa21abea1124
SHA1 8e7de528cd9218f0b1fd7f9a5fcc785922394554
SHA256 74e6ed5381985825c208004306df869b820acc9f9b4be9aa90a495300bddfb62
SHA512 99f7506b3136b2019cc9bcbab41b8f2d4cd100e9b45d21c3ea30641fba70d40cff9a45449d036caf928c3f79d304b805405120d2b867613682c3c8b8328bde47

C:\Users\Admin\AppData\Local\Temp\EUcU.exe

MD5 ebaabf93b2e9ee4725176986ecf6af58
SHA1 af2e61ee2678744a99dd950cf4b3e7c1d41b3bb4
SHA256 f2e6abe5e47f5076ab02ce705dfda1c15307e1a5087cd7623a491135c1db502b
SHA512 679c41e83da51b8ab2b929e3ed8e28069d9c5706334d647232c97c5c00a9187581ee9e986f990b2272fbbbbca5d8b08fa38635be0ec7fcf5b28b589aa6be2ff2

C:\Users\Admin\AppData\Local\Temp\aQgk.exe

MD5 8fa45ea9894447df76253b4cfa8d55b2
SHA1 167adc17bcec441784172b1a0078d4f41c4f1698
SHA256 52d16147933be4019b5443bed0c6bc748b69266e6c33205e209a6f54bf6253c2
SHA512 e6551bc7ad8889ad1ec462a9f8857dec55c036cfc1913d6a4eee2c3f017fe9a8f5ff343e90cb704a8af0dc545755c1c87345075cae735def190b3241382fd848

C:\Users\Admin\AppData\Local\Temp\DQAYYcEw.bat

MD5 61f91ce48477a1b83883ba8b66857dce
SHA1 cf8625e560045a6f840e84b17f5cc90899036441
SHA256 73c261c88d93e57cfe54b6d46190a089ce8aa97c00b1c1deab9375453501d532
SHA512 719414f3d9462f417e509c75e08916d55ac6bc82893fc4f7ac9bef935f55065bc8c5762128d7d62a36dd17ac7f1aab93dabd95ebbdc99920e0ce70e944989838

memory/2712-1172-0x0000000000120000-0x000000000013F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsQa.exe

MD5 a94904c9d3d545e1e036602dba702e8d
SHA1 3ddb0c71af014ee0140587524ff9f010b3422123
SHA256 91e8fdaf08b16fc50388482ca1b60f72c7f88b2cb75cf3f75ba2487ecec1eee5
SHA512 0be305aab9f7443a210930e115b280a15efb704dce41d2a8d8af8ad6e4fe49c1b363fc0cb65eabf02aa3c978d14c9b76e404a5996243343ed97809d7af24133a

memory/2740-1194-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YsIs.exe

MD5 88b48d966646fce826223b8c35a7c3bc
SHA1 dee45b5bdf6c145f7200834abaf18fb702201d0b
SHA256 d62e3fe64c40099bf85adbf3413af7983f9edd8e96136da8fd63bf0ac9c6495d
SHA512 9f48566a2d34a939e0c444c695f506c30d3279b8da67d25b93d1d4207f33a9e8f6ced18995de47aa724fc51e7501a293c34380d5febd61857fc73eea10398d3c

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 d781c09b531b2db75465ffc2b51c6b4e
SHA1 d6fad9f5e422d61d499e85cdc070feebc176e9f2
SHA256 72181f84470bf214632a52c0fb10e893693ba4b37e358aa54707356579ec36b5
SHA512 d89481f33fe6b49a42e757372e3f89d0a3272b1009d94edcd11bc6642226d9e17ef6b36f0526a62e1758b135aa58812796e52b9befe6d126d8687e51964b4218

C:\Users\Admin\AppData\Local\Temp\sIUW.exe

MD5 ceec004d31ffc3663728a3ae85ab578c
SHA1 ba72fdb03edc3cd5696238ae4a0941a9ed031db0
SHA256 2cd4dea4e2bd72301153cb60124d08eed3eae04e3e5307e6ab80eecd3f78343c
SHA512 a0cda729b8a8b4b04a7b5c2f10f68f9f7b8f7ff4322e47b4e5ff1f59a8ec4f4c3d9a0f8429221f65e4dc07e32da36f80ddbe6739bf4a947afbf119a5a7aac7ca

C:\Users\Admin\AppData\Local\Temp\qYIO.exe

MD5 ce62ac347f2ddea6df0363e9d7230c1a
SHA1 b769ed578085a9958dbd8cfd1fa1f541d0db5c04
SHA256 a6af4f8e3c2684f3a59c615319f1bb918bdce76366e36c322a8072638195b69b
SHA512 e7a651aade9cce641e0bfbc55ebfef52cb282d4ca694045c8addb91dec12339ed6c90163b5405d2df6e9466d5de822ea2d892f92dadfe55bfe6a3df9f1e7636a

C:\Users\Admin\AppData\Local\Temp\qMYW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\BmUkkkcU.bat

MD5 2751cf4354fa7a07983df03fb7671c2a
SHA1 db64703f222167b6d8c63422fb52d95293a1f4b0
SHA256 d56e97f34f9c21478a66ede0b850385d8605c7cea8e9c27a1f31e4b122e7fd28
SHA512 2d43e07d3b3f1b5e5abfceddd352a39e28ca381781eb6308757456dddcf84406b55d8101e2341eddf37c73b169d60e4c75d738ee810050b0bfa4f29eefa8cc31

C:\Users\Admin\AppData\Local\Temp\YoEq.exe

MD5 41ace1453c4efc9c594d03172ecced58
SHA1 c93e2398c4a8275d6995e2e87a6c63f750034dcc
SHA256 6bd89ff0271f46460c12b537d5159c19eee46aa19a9c3b67b1899f3c4af4fa84
SHA512 455d277db8c0c6d90463f6906eb5a2e96e9d1c848a41fc0e723b6bd1809efa93870e104b666b03a8494bc93c1cb299c63b01a73b1abad0cb3eb7760f91fa62d9

memory/3036-1272-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2596-1271-0x0000000000400000-0x000000000041F000-memory.dmp

memory/316-1270-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2596-1269-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIkI.exe

MD5 f00d3981edefcf3c46fcaa57f167c7e1
SHA1 bbfad7f76914cdd09b2bf96a0baf5d3555862ac9
SHA256 7a77364b7b8b5586a9db37fe1d0aec751f2d45cb0290b9b1c803f5261ebac837
SHA512 4e1f6b789896b9a9433e7f7eeef551c2eabe9d9a4d71cd94cd05246079860b53e409327ea59947200fc86558d8c6078bfdb9bff75e4c20476ad277af8fa881d5

C:\Users\Admin\AppData\Local\Temp\eMwu.exe

MD5 2a864ebc1fdf5e78c24d9cb264410415
SHA1 62d06d9f306abfc45f64396ccea2226deebc93cb
SHA256 7ce1a1cdfc9f9538219afe55c361cd361585bf40a487107377d6431133c78910
SHA512 cd03f901ae490bd8dbb94731abbe294ec9e110ce774ba1a39e56fba7e527074f8b2bb541c853f2d5b0f317947c75d2051cca843f365a536fa60e7d63b60f3aa5

memory/2764-1307-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwkU.exe

MD5 c2d0755e2355dc72149b87388df58a6b
SHA1 96bca6133b76a3e1daf0bac0c215699b9e2516a6
SHA256 4830e70d8b62cd1ee4aca314defedca799552925f70c84c8d3951abcfa0b0117
SHA512 4fdde8c6469a3e2667238f454c263071ca7ef7e05572871c388318c96fe46c8e7f821cbb75b3cc64d034e2ac2b3831d70e11dd4bd3034f55602feec44beed1e7

C:\Users\Admin\AppData\Local\Temp\sgsk.exe

MD5 8dc7c12e135e1f8542ba40a666a5ae2b
SHA1 d768155a1bd7000a2bc112f8af699e703ac19b3b
SHA256 24b9883cb3723f27527cf5988549336350cf402ddb2cfeb779333245ead2b9ba
SHA512 552843eda78bd4c6acbe2c023f8bbf225228151205406ba5001d3e307f983ef902d854e4ff40fd6db7f68ef8291c194aad77176dc25b222207a8f3d07072d4f7

C:\Users\Admin\AppData\Local\Temp\ogYY.exe

MD5 0dc82966c8b279c192f383efba7dba38
SHA1 357829ee6e4ca113e5330aceb9f54e4da9e31ecb
SHA256 fa45ef3f236d685aceaf4520015860c79c54f9bb217c55198fe7f8b11656bf44
SHA512 765acfe9dca7d11ca5651426ab28717aa3f0540eb1bdacb767b79d3fc79babde670aab16125d1032eb1a97731635120fbde9355efba8f397b62a340c1e7b0263

C:\Users\Admin\AppData\Local\Temp\NCIIoQUM.bat

MD5 a14e4cf2b1aa375da693625eab003ea0
SHA1 bc6f6e585502727f1af360a2ddcd73dc2df5de16
SHA256 053900a5f992f4f6a93673262a4a91654a88a1451197bdd8ce3e679e8109168c
SHA512 0c047ebf484239d51c4721f5b78852a73384b8c0a247e02e6598fd7af2c6c277562b722646966f1a9474d4e29aee76669188ce2eb6557bb90a985a5d30a108e4

C:\Users\Admin\Downloads\CopyAssert.mp3.exe

MD5 ea635c7facdb1d95b02ac6c148db6b2a
SHA1 ad5bab46e134c23480cd9ee7f47c7e61992d8d7f
SHA256 b50b925a03864546d4754814bf503a309b4d8e90eb3aa9ca4d7f03dc1f5fc44c
SHA512 1053c6a11b5e1d9da16b37aac70073d32856e820b8f7a8155c158bef4d6353dab650e91930f1bef00e5ab790a761c9d44a0a8904c3d0fd9c108eb56aa8f43611

memory/2552-1370-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2552-1369-0x0000000000160000-0x000000000017F000-memory.dmp

memory/2932-1391-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYUG.exe

MD5 6fbf5d01e003930e3f200d564367e973
SHA1 35332b779b63e5b2953df1b92d3415150aba4577
SHA256 355bd0d30aea7b312d947c1eb5c7db61166afe9482dfb0ed08214571060ce606
SHA512 6d9364589e0d3fb2b2ef966c4d35fb20b8dc947ba2b07a471f6e5e805aa7058b21e74853f7eec2a8781c77e7faadebe03023be9f86082520226cc826308e1259

C:\Users\Admin\AppData\Local\Temp\yQAW.exe

MD5 aa4b98298c68e196848bc0c83f6397ff
SHA1 cc0caa6fbbc5fa03bc0512f2a4b7433de43792a1
SHA256 e85a5a550855bd19b09e727ba69c9b8156d8b57c2f9b128508f05910d214961d
SHA512 20c5b96f78f631be765120d8e4f159570f1b6962692175dacc50b4d963c1e33f27733f5a90a71cfc40a20d6d7eac241ce9035ce8468c178a2be8dc5295361a0d

C:\Users\Admin\AppData\Local\Temp\cEEE.exe

MD5 a3d8f87af97def816ca8a6569239dd46
SHA1 ef17ab79c21a876e9ccf21e95d2bb0576939ea3f
SHA256 1cbb52e23d51d0a730fcf6467bf2d249e34ba86a60771537f448edb6954c1347
SHA512 2727b26d1682146de505dbd81d0874de53a47578e8216762002698499f317d49a6dc7f21abdd49305d99f5f19533a92ec103f57936862e6dccacddd0e2d3c9a7

C:\Users\Admin\AppData\Local\Temp\uEku.exe

MD5 fe1606c000712601f4ba776eb5bdf117
SHA1 af9fb3d4a5350f8dc4d370ab86a4c9bc5c848e1b
SHA256 1f2d11e9d223161fd4ae9b7952afa3b2aa4d2b65b07f0c70287b5b21020a1de9
SHA512 ec8532cb9d42dcf0e66173399aa9f9ac5c98861454d23fae955aa9f2a5ccf18932977875c8dac8fd7a5930335f5bf57d8f25aa3c843da8048c4aeb9fce5bd5ac

C:\Users\Admin\AppData\Local\Temp\gkcYwkck.bat

MD5 01a2862ed843eda2a6bb56a96a3a8b0f
SHA1 5ae2a2933fe6fe14696af23fcf81aa8b3ae67cf6
SHA256 dd5d089073b60df99c6a13481e79596bc3161e76491206682d5fd26713e66a27
SHA512 13e5fb385df1978dc2bb3271c439eafb1af5dc3e917df0780243b4e6fa7a23f0382c3bdb1495ed26f45410a953acd61c4b2dfbd86565698938ecb37e637f1e1f

C:\Users\Admin\AppData\Local\Temp\IUYI.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\ewEK.exe

MD5 a6a15fd388ab7fd58d0716448b5b7696
SHA1 c53a62b4e8848b1ebc59e4757dfd5c9884c3f92b
SHA256 a4c8d2e0be03004f6099d121f5d3961c2da4bc452c0c5a50ab20901efc164e36
SHA512 f6483b671f8b7adc4ec90a6152109438312206019abcbc263dc9d51d7d0135927d63fcbbd318c2c999f632538810df4828895f3ba0fc4b9d1db57fa243b76de3

memory/2648-1467-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/2648-1466-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/1480-1489-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UEgk.exe

MD5 84f3307ba1245f8d2120979381645dfa
SHA1 4496abb32fe8fd6a4d3bf98712cff0e7e0b635e6
SHA256 47f8466301462ab50aa51be2bfaf73daf6929729bbd24313efbe8dacb05a873d
SHA512 35c8fe9b989e43faf240002871882adfe1e09a7191efdb393e2b3a0511a1b1b263e3a5707526ab18dde09b9afe40d2c73519e810983b1222428a48b0e50ac72e

C:\Users\Admin\AppData\Local\Temp\Wgkg.exe

MD5 08ef07a1835f52e621c87905ca443de8
SHA1 12e13f9408cb86561a7c282e94ef94076d06eefe
SHA256 9197f6c508d6438dc79336950d708834a390b01ef0a7a05c68ccc2e677109105
SHA512 fb76b90d98022009f3d2b4384df6b180a8299b41bc39cc892f5134689e1ffba9c782931fae097e14202382d7271eb1b856896c1c0241077d54a8f6febd2bfe0c

C:\Users\Admin\AppData\Local\Temp\iyAcoMkU.bat

MD5 123bb60b4f9d55835395c22217e6400e
SHA1 5202c4c50a967edb97552c1d1d63a2b61e1a18b5
SHA256 c73c8f466792aa8341a7af1841bb2d1d50a9ad5af7c824b1eb9dea7a2fd9e47d
SHA512 c98255392296f626c782ce4e905a3612464511d0d4d3aaf6e474c4b203938ce47d3aee8b6068d1f3ee56d02727885179e819c8fe603784cdef70825aaa10d875

C:\Users\Admin\AppData\Local\Temp\sAgO.exe

MD5 a9f6e0b535790b6994e98ba5a020dc46
SHA1 0563b4693601d9baecb875ea1a66b969b8bbab02
SHA256 eae27b9c5ab526d02979877dc3d998abc827fb7c9a3870a3546821cced293248
SHA512 81b6d4cf58ddc92e5ef14726bd72295bf0381d17dca2ff7ce32f5e5ccf5ba3ce94876a44581bbf7a50caf2b5c6e64ce653151c45c96ce2cb308e138342a41b7b

C:\Users\Admin\AppData\Local\Temp\OAEg.exe

MD5 f6fb2d9f20609de2f907b2f19d39211e
SHA1 b705ac0020635082325725e7bbdae43275fd4299
SHA256 67848f7739bf7dc893f997ec30c8c1d82825447e8a361b24e155314a50d9a4af
SHA512 94c0dcede80617002ac8ae1343ac1cea83015e9593f8a890a97123e53b378cc7fe73337ad4283be152470f5fce5f684f69e2921db8542400ac4fbbd4a28bd6c2

C:\Users\Admin\AppData\Local\Temp\oEYQ.exe

MD5 c27181fc9b4af7c945a39b0d59b36df6
SHA1 1966433bd319ad1991c8eec6a9f408e304b42ab0
SHA256 12ad20792f03d56575cf75ee98e7ebcd5238508836f2f79ed5f22a9f3028c81d
SHA512 b48edab397879dd47e681d0578e8187b9bd95c29616d68b61f0c3a84641201665737d6c662bb593a48ca7c703e5023d72b40cb3e7bcd578020f8ad9226094a96

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 bb3be1751bf4ba8914f7e7b20b651a8d
SHA1 ca3ce51367cf156081c2c55ff899ff0424a414ea
SHA256 f172570d2bc373af6138e198880672c6533c0a66eb4e63c6ed9bdba89a50c75d
SHA512 0141895710bc4fdf787cb1d3c2b0d6776293143ea214b7b40994ea91cccf61af67ec58c25a8f55fa365d96969a8dc5a5ae6e5b03b38c76ecbf8cf3933ed08e94

C:\Users\Admin\AppData\Local\Temp\QaoMcQIE.bat

MD5 09c7ff4207def7acfba8d4d461bd739c
SHA1 44c0dc9e70d51c77b259c0a566b4154ba51b8f2d
SHA256 982b57c5be85004d83ca39d3041f4eab7e09e2e6509e849cd664c55cc5f53c08
SHA512 9d604acc510a95d62baaf49d8f95dc2d833af3444440481d843fbf03155a5da26f3a7be811349ca8fb3cec8c0e2aeeaaf17f8cbdb9c66dcdd9212c0e0b19c9d3

C:\Users\Admin\AppData\Local\Temp\iAYK.exe

MD5 f1d7546ef20a3bf5f7fea192cda6cc1b
SHA1 81af1e9b1fe60404de75913dbbc0d402610b366e
SHA256 6ee2ef6d06094a478e636cef4a831bcb20fd4f4e11490fd59c2c346a006d5101
SHA512 b2d59d915ef144175777138a1958cd2019f46c59931b6a845aee2270274277719461487b9df0dd3e6a714b58164c0003512c6c45346a1fabc9bc3ff00e97a7fb

C:\Users\Admin\AppData\Local\Temp\AwcW.exe

MD5 3ccc3bb29b3da9340f316baaec17a4cb
SHA1 261fabaa6d7e9fe0ca1ddd3d792d5d034c7c88f7
SHA256 a0aed59b1f4ffdb2ab68838f152c810ec4a00c6d187f153d2a86ce9f25dcbc9f
SHA512 bf219207fca55a21c933976b8f4d31dec706499911b0a6da2a3e5f4aeac9cb88ad1199e912463b911153cc864cf2f10aca3d8f3109721aee8790d40e3604e33b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 62ff4d75e5e67f91f8786e33e6a6f20a
SHA1 1e58c3ace1639c5833a84673e52c728ebb28df28
SHA256 434df8315a5595b7c29d4aceed9e0c7291ea02d93883d4629130268849c2c118
SHA512 88284589690eacb4388d62b0b591b95ae558dbe91cd6a8ac76e82e5b539e102ad92050db5926985c3672534ec55fb109555c4b17055d52b48c6f8121cef8b718

C:\Users\Admin\AppData\Local\Temp\OgMY.exe

MD5 3592cbfe811c035cfdfd9b6aa260b8c7
SHA1 fc543ff6c37561afc9604c134458960821b27225
SHA256 98c96509322ed4ef770a464da8c3c745d930d3e27425e04180e6b4e2356b27f0
SHA512 237ffd6500e04fbcfade4669e9789ae0f6c8355254b0532a36ec8a309aa2056c95348dec8d685171638eed93930ce0103541410cd0da9ef01b5abbdda1e87f1e

C:\Users\Admin\AppData\Local\Temp\EIkgIogQ.bat

MD5 2d1a7a2bfc54b5697f94db8111f0a6ee
SHA1 5830ce543b7bde27f4385a65c62fb2887cbb129b
SHA256 cad631cbc1d06fa08c706dfda49db19689ebc5e55f0ededf5fb6144ba227e67a
SHA512 60965f0a4a50f002d686093a8a005e2dcfb071ae69038558337d248bf5ad6902a1cb766076dd61a500aa02bf11efc781a4f60857aca1f59491e26473aa001020

C:\Users\Admin\AppData\Local\Temp\sQkI.exe

MD5 4fb6f03a86b6078870d9f46cc0942944
SHA1 c0984d394b782331ae2d6875953598d7075865ba
SHA256 e085609dee5ca9ee52a38544fc25c6e58506dabd89149c1a34e74b291250cd9a
SHA512 f151a2632c34e105bcc01875631de6bf7fbd056c689eb4252f9e04791f107445f5cc3c4a2e38a410a478e5f3f29ff5e8ab51b7a34bef4c9bcd4e5616291c5dbe

C:\Users\Admin\AppData\Local\Temp\EUsY.exe

MD5 ba1f372d8bff12fbad76422c6684d3d7
SHA1 d0a5e9887ee23b074f0a5211226b4f4976812f40
SHA256 114e6740210fe23f5af6066a907fea57f245a9933a173951623f5e9cb45e3dfa
SHA512 24a7c9b20e4c5797e651e4df1082cb69dc8e6c878b8be6995eeed0be5ca5fb0bec8a174ebb2c4412f2c82ca2e1954ea7ab5aed2850065c1868d25e5090fedabc

C:\Users\Admin\AppData\Local\Temp\ZQowMIMA.bat

MD5 72394534f76539bba6738f4adab23f03
SHA1 ebe0f21f9de39e9c244fe7618782e50035034c94
SHA256 7365843efa5292eb01e51ec3bb20a68de0b3eda14de90936c3903bd62c4416a5
SHA512 e53dd2cc5294abe2b534a94ca02695c94758342242d0a9696cd6940abe10181e971e4b9b095a63a8a3856df730d117bb260fe09815ad0fcbd83ca34cd09d0a7d

C:\Users\Admin\AppData\Local\Temp\ygMC.exe

MD5 556aff53e646a6f122802fc183ba55fb
SHA1 bbb967da96f36f3754ea3ef133a361e55374d4fe
SHA256 906cc5a98448a2a69bb66f45fa6bb7635f09764f21bdefc04077f211e37d0ef0
SHA512 e1d7273bc87a65a7f05d38e60f44d95c9ec809e362ba04fe8226b3127ac0f24c113bfd067aa59b07185f7e7003c12d503d8ecbd06e228d3effe8fe3ea1102450

C:\Users\Admin\AppData\Local\Temp\ogQK.exe

MD5 5f45b8260e066d4f78a35a908a5ab5fb
SHA1 c13da296846bc5193d0f70cc96c438222575e6f0
SHA256 d188fe7cf3777d51696207f6ed89d57cb6369eefe630f2310873d62b48be0a4d
SHA512 f09b6aec4af7f7dee7c41745974f19da1906782f99ede9a9b7fd8b2a87c36ba9b25c9774c7d8b3dee60f3d35439c4f90a587e2405cdb58ae8db8f2c178ac54f5

C:\Users\Admin\AppData\Local\Temp\qQos.exe

MD5 5557d9a22324bc9f30b57685539bbc0d
SHA1 4516a8fd6e202dfc2c3d88e7476fb77f852b7128
SHA256 eca64b6c5e0efc0f0bd0fd8146d97f7620d01fd61cf48333557f76c4803697f3
SHA512 2b5482a00ae3b1cf89d228aa0c4daa0998ba3bf1118d32a3b0ab78c4934d34316bf4c1ab03a14999c945f4e05526cf8fa6d9a0f3c0191fcf2ab5f21c76ef1663

C:\Users\Admin\AppData\Local\Temp\BgMEEEww.bat

MD5 77c1c0b2b6822bc6a7a250858e24e27f
SHA1 e085c01a0cd960542d66113309e292186d7f3db9
SHA256 314e96d7e127bd4bbc31b8c28f912a980a5500c3eeb2538d6647f2e49d52a150
SHA512 29c725f85d47be805b37a800cce5c4534b314dc2966e1b5d5dd92b1d15bb2c3a0b96231c44ecf81b150d851863652232d66cc79f004895952c4f8c0f5bcee799

C:\Users\Admin\AppData\Local\Temp\mUos.exe

MD5 a0de768d0d054f56a9b63d521324ff73
SHA1 8f48612aa024af2f800ce5044bdecd4791811fa4
SHA256 278aa470d947eb6cc620f56c346e5bd5bb3a13bc2b3a3b3b2663eef6259ee61e
SHA512 cefa2dbdf6a8c4b9b3aa1c064d6e88abb97011d9ec540913453eabf7c0d1efa8d5325166199abd3344856acc6aa6c611e06c0a061bac5da7630a820899de2bb6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 e12c2d5f73fb10a54b4d766bd7a93ca4
SHA1 19093357b7d5f2b6479f1f9252c6f197701d10a4
SHA256 bec0e51b6d1adfa9a7c4a38127ba2000f0b25e2514853a0ffab204fd6a22dacb
SHA512 366570e1600052eda085ab91479cdb474886633a7bde471928af26466c833f39688614da8b6dc4848f6cd91ce34ade2c19d68e2846d22fffcb36e39f384878c8

C:\Users\Admin\AppData\Local\Temp\MAgG.exe

MD5 8adcf43e6106c5d0bbe850cb77d90ee6
SHA1 6881ed30feb736b3a161ec64366f123d04be7432
SHA256 71e4482845a6d6139a88e89d3559130dbd5e28e2a47bbf45a474ac850c900718
SHA512 a450d9e3412f8f77b08e8beb0d2bc16c357039b432381464e9de2995cea60af2b0d7a4586659e56ba8ba3d3ff66f175fbd9e5510db8bff42006eed91ec845aff

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 871d295e760b4393babc339608e23810
SHA1 8c08c009ba1a819b84acb14d22954cc0fe9cf9c4
SHA256 ffe04cf4e4c2657609d085ff31977e8f889ea76763015a7694249cf6ce344ade
SHA512 07108d3627c36625531d6c9ef0cf697896d6a7476519b796c1e911581949c13d268fb3de6acc59e5e6aac392acfa002ae5115cd15b9594dfc1a98994dbe3e3d9

C:\Users\Admin\AppData\Local\Temp\TqUAUcoc.bat

MD5 9732f9151196f4ab14316e24ed359312
SHA1 7467aec9610c6309a511ddaa8a3b932837291c04
SHA256 af3b238f4519b5bbfb51a4b0c2aa4149a39931a7eb456fbc1709c875d3bf2b80
SHA512 ac5555fc3a94e5a77504f4945e598fdb41d2917b7d1b39c950019384c50c3b86243442a04b8493c07fd75cf3e7c5bede5bab9c4998facdf7d95ac5c41bc3a369

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 b0a81578594100f9532de755ad4becf0
SHA1 20294da1a982a2715559df0f98cf46994653bf3e
SHA256 45d6d11fb66ac672d8d2f2dc1e61312da46f5e4c85ae584382116837daa02e51
SHA512 e9d739a8b2df337146258a74cbcb21436814101627f786101a879f447547a775e4a402d3b9c2ae0ffc7bd51991cbc3ce4e411177e074671cec687a03bbd480d2

C:\Users\Admin\AppData\Local\Temp\CwEU.exe

MD5 a3f3fdab7c7f13bf9e77602e97b5cae0
SHA1 0165426c18089f7565ddcb12f20e0db070f7672a
SHA256 ccb39f696e0311b1f5329123c9e2b268e9191eb4df73d3c08b0b55347c5703f4
SHA512 d04f0db065c5cbb6f6fb853ce2c5d5d6b60ae0c7eafb776a2024ecfbfcb46a88d99e46785a2fc97f3e52efc739d67df60f39ace3b9546c60e276d4cf22758179

C:\Users\Admin\AppData\Local\Temp\okQk.exe

MD5 765084b73e386cda985213f186a0a4a6
SHA1 bc86950c11aeb2f5fe39062c3dd836ef997a3747
SHA256 730efe4b6d1c8f254882678ebe3f88436050496148fdc6dba4ffb8d520d2baeb
SHA512 43574da83e55ae516a1248d2f269e438e9be8ab6312e1cc072bf1cdb3487aee975556c557450b70a9451e72a3af75836c2e193ac84110a36d7103a4c1fa34fd5

C:\Users\Admin\AppData\Local\Temp\qsMG.exe

MD5 fdd758ac04ad234037a805a73a6406f2
SHA1 92a85be332bd76f9f3913d3b9473c855821f8f2b
SHA256 27849d12c9832e38bcd6d129fed4a38c69d26229fc9531fadb058c68aa42a9cf
SHA512 5ae33d4fc2af6674dbdd03249400b374af9cb46247d035e2b8889c37781fbcbd7f269e6704366f309180d73bdc4926bddcf187501a85eccb7768a75904971ba1

C:\Users\Admin\AppData\Local\Temp\MMcS.exe

MD5 d12cc4c4d9c140c056ddd262444c54bf
SHA1 4f0b031d84cce03d796708feef3a20cd0cef924a
SHA256 2fce4053606678ee6daf231da275eb761dbf1508d494274148407c798775059f
SHA512 a8a2c4d0f4b142e95e53861962eb466ee0d34a686c1e2029080e8d9b0f7ec2deb40b8fcabc9d74403916563c98d36a6e8086631fd1c9876fa691f49d53df9243

C:\Users\Admin\AppData\Local\Temp\jKwUYMYg.bat

MD5 36b441bac9f44d5f3537fa7ab4af8109
SHA1 a7b28999c55977cc6b23d90664b888ad0b1615bc
SHA256 1c36148506662d56a9e9f87436d6220eac655e17b60595dcd511f87ac2e189a6
SHA512 d1811e463db38987a92c802f8ca55492480368db193a25d51e55a68a06adea77bdb7d12f2af918598587bd2ab8f776b2230c2c97c1aef3d90f62a3f7187a6e38

C:\Users\Admin\AppData\Local\Temp\GEYU.exe

MD5 a40e050733fa28ebd415ac2968febabf
SHA1 c2729fdaa1bc30acfbec219769cec2fe2e50e681
SHA256 9f150d9668eedca2eecece0efba5546ff2d64ea4242c805b751a0a85a74d5ba3
SHA512 6a82c84c07eccf113aad6f6c8595a183c1a3b2fc8ca112dda511d6bba2575390b433524ae1bd0bd2f4e723fc6d96a42a989023d28fe21af561aeacb177b8c4dc

C:\Users\Admin\AppData\Local\Temp\mwMs.exe

MD5 fcec08373498a2a9254bb27fecf8e4dc
SHA1 12115487a0361a4a8f2a4b48f8a6656344080f05
SHA256 c0ef4d08b39e9eb76d9342550eda32e9a6e60972b1e35da8a794b98de35c43a4
SHA512 bf17e530e05c16cd841f85425224ad31058626a2d08e030460a143b98c5d3338ccb5009a3fb5db6ce335299ee45ff36c63c310add82012374e2f0169c85a374c

C:\Users\Admin\AppData\Local\Temp\OYsO.exe

MD5 6b6f8d7620ec0170e1df8498ee22af40
SHA1 071944d91b65f6ca2419e1a9eef7fa0ef6c9381b
SHA256 e3e190753f38ebef3536f0373f96e49636fb1dc9ee0a7ac204d45ac1f8fd40d3
SHA512 f3faac48037780fd0916e59cd2abaa18d9a35f53c812485782f4a8254a37a0d0c8df08a6d0365a9ad2a61cfd602f05020268b89c29f24e50eef99a1bdbe09d66

C:\Users\Admin\AppData\Local\Temp\WkooAMMc.bat

MD5 23e39eca26403877cf036129a0582184
SHA1 1adbdde412ce7071e4cd9b67507f5db9d670516c
SHA256 f811a576b83f0a3e31ade1fa7abe278a59be1c1baf6e1274cb47b88273030fa3
SHA512 97fb24281206530a4a1c0b267fd07bad199962e9ecb5cf394950063f7f16aa71906eb1a04d21ea5a67cdef200bb04de6b6c8da54120af0ca7210324acc35f2e5

C:\Users\Admin\AppData\Local\Temp\uUoo.exe

MD5 b1a25fffe748d600eb6c5045276f8453
SHA1 34009149c0b8686d4f90f32c684bd2659a578095
SHA256 e41e310c58766937772cdd9ea52a5436609ae43bbadcb661970275d038b41600
SHA512 65edbc96243e23b5879066e717d5de5af45982028f687c745e511c5ed274c11f7b82c4791f7b35bee4aeb910b8563c0707da4bf6126d5b1254c871943123c9e6

C:\Users\Admin\AppData\Local\Temp\UEYk.exe

MD5 b82edc89398a3add17294d94b0d1910e
SHA1 459e6a04e4d5f9dd0f329d562d420eb2afab8827
SHA256 ba8da5e08eef1ccef696ffe01ebb73f5e9f627320b2e072f75faf43fcec63316
SHA512 539a3339b199421b2cae17f824d4f0228f712c850046523a5540e86947a71584e5382f776792ee1d7e5b798b9815f9ebe933673421388a44e8d51953c0397554

C:\Users\Admin\AppData\Local\Temp\QsAS.exe

MD5 28aad799b43a85772b35932dbd85ce5f
SHA1 d202ba4ff4a6f946cbaaa83eb94af74e79cc72b2
SHA256 7694196753322ad0dbb4aa47c7d8965ecaea5436d11133a8eba3c59e41267a98
SHA512 bc052f87d0e94dbca7405c9bcb06bec6d70a1574eca33800ff9a2d5c45be292bec9844a4e642014d0ccf1db93fff4437b34c4c84d305f3ba2d7fb7b18586d187

C:\Users\Admin\AppData\Local\Temp\EEsUIcwQ.bat

MD5 b28b8baa1f64a80d65f197ed1315a578
SHA1 5a08fc6c3254470bd83c9e492cdd2cf7ba4a7a7c
SHA256 14b0f0c7e5341c95ef6b11066bb19fe24877a8da553ccf278a8cd44b2e569d4d
SHA512 665e3cddd82b93d32f58e7200040624a152543ebf8693da3ecc8bd6eac90f339a38531939cf27ec32d962415ac286160514ffcd08f1fa6381d135cd5fb1d552b

C:\Users\Admin\AppData\Local\Temp\agUS.exe

MD5 bcfc1182226aad89eee46ae324dde0ad
SHA1 6a5d1590da744ab387456eb7ca9d411c28be30da
SHA256 ba2c5b6e91b678c7d980cc0adf17f72f0668bc60d853c572e238b65cc481c898
SHA512 27fdd74a98497306843b25b97dc4801148cd9149aec8705ac571f0b0feb9074f24e6c50849690c778096e59d77c45befce1cc72987b6fde563a26fd117c97473

C:\Users\Admin\AppData\Local\Temp\QYYu.exe

MD5 3e655f92c84ad525bd46d5cadc26b8bd
SHA1 9db078d40730a51aedd50cf4c88f667d3d114c3f
SHA256 16f19fd80035b6fdcac972c3e166860a7eeb9323500a3606fae311c2581e0dfc
SHA512 1f4ff8fa14cb364484d701c3daed1e6470421db454ffc2b16df2ef7c262ed27caecd4af908d54ec17752bc2f6423710dc401b3b3652817e586a2fb11bc60edf2

C:\Users\Admin\AppData\Local\Temp\sUIk.exe

MD5 bf682762ebf6020ef413e4b3dd09f8e1
SHA1 5ac239399d159834419eecd64076adc5214edd3e
SHA256 00c413143281e2258cd94b33047a7db38a44e51d8e26bcbad8d6c65f7088a92a
SHA512 294e3d72beeefe802085fc432947c076ed52de5be5381b4b472cc167209d67a065809c83c1d8aca5a408de9a8d1c54d61832a044889acd78f8948b3e5d7ca8c4

C:\Users\Admin\AppData\Local\Temp\swIYwIYY.bat

MD5 5924887963bcb64f4f37e1ce5aedbf59
SHA1 429c737a871931952dd14727049a21ba51d48289
SHA256 7de095dd9ae189c03e29575398cae337f269530fa0890ed25b13987047708580
SHA512 71b88b67371b4f9f78286e76de4d9fb67f27e5de1b063ad905e537585c6827582dbfa3ffa64b9235ce9859879f50c011946171d80735ccb1cbb192b5561f6b64

C:\Users\Admin\AppData\Local\Temp\uEkU.exe

MD5 797ba2be40a5691c8489d523f79b2dfd
SHA1 2b5e51d8995f8621849e7c8cba90c08de9c95592
SHA256 7d0157b5ab38e5f8e85ce0551e1013d11e16db01704162ba1318e732608eec1a
SHA512 68ee13093a047ef488b5617441f25d62cb9c63b11e228142be0412e66463abf7d532dd949242d45d02fbcc413b49ef5ed0f30912929b7fc6561e6d44dc43d171

C:\Users\Admin\AppData\Local\Temp\qAQS.exe

MD5 dad9c6788c78af79bac3092f5d521d9e
SHA1 4b8af794c0eda7d42c132cc7e27d7b9d255df1c0
SHA256 ef30b078d9bd0e3c86fb10e1803fe1747752db40f088d9f3b9bdce482d5a2844
SHA512 af8e748d974d5e7a6a126868ffa4542dba815bac3f5d23c5dcabab4930c49893b10fb9d826597cda1cf8b9a438819a6927ab4294e836432d053f94b1d03722db

C:\Users\Admin\AppData\Local\Temp\iwEU.exe

MD5 f080ffdbad123397c9faf02b43d9875b
SHA1 910b2862a5fee59b0281aee98c27b76b2ce0fb06
SHA256 2a86b6c05a4f5a62a9066df895a9a7afeab4d94e3843efef096cb8ed46687e53
SHA512 ba47602129b65a360deaf9d312ffb6a799c630a7042cabe1b6f19ecd4a368c81766f7edc449381dd00ff2cfdb5b1a3ce5107f017028b53ef63906150e0a64814

C:\Users\Admin\AppData\Local\Temp\cYEoYcAg.bat

MD5 f92f38979c395b28eea894e17acb0b20
SHA1 b75c6e3665441c734c19c0b1580a9a677eeed8ce
SHA256 5927004e19eea0bdd6a6eba1130c90d71092404175ec0d98f9072e3d5b88cd3a
SHA512 02c4c31469c08753195487acec54aa555e853ecece1ed60f41f38e428d6e39bb36c3bcdca042a9f185d03a441cd4e1db1f2f6e754ed70239c9003aeb278ae4a7

C:\Users\Admin\AppData\Local\Temp\ukAC.exe

MD5 7ca21fe1c270f0b078c8f71eb9d41a82
SHA1 afe82c6c99a5a4d5d101524ae670f458f9ad3382
SHA256 c1f43bd36fd7f73cc597fdcee502cb3dce3ca78b99aa7fd6e7ac400359292638
SHA512 a9b90d792f4ba80d9e3e9494e3f8a4e76610830df74bd39e3029282445321bc429046448239d2e25c7a11d3c721b99f7fd70f2fea34898d68c54631256c53bc6

C:\Users\Admin\AppData\Local\Temp\CIsA.exe

MD5 52f22361dea9c818ac639d16e410de74
SHA1 ac86d14e9e67fbdcdbf75ca930ffbdab4131383e
SHA256 a00b99e99a7733a791c19aacc461d5fe790938dd8bef9ebe68d26250768a99d0
SHA512 f695bad2b7520c1390134c7fa485301daec3ec3f424c15494d293f406de71653911c53370da5fb1da4700e95ec361f22b7afe4fd52dbeb0e37f592ab9732d68e

C:\Users\Admin\AppData\Local\Temp\fKUAowYs.bat

MD5 8c2c4b0c8030b85c46561d831d50812c
SHA1 630037ba55efd1395340c896b7bf10326fb90d2f
SHA256 be23b7d05e9e6fcb524080461da9e155f8dfd6ea5eb781417d7b1690de3c4d35
SHA512 e0e816cbec8bfd5daa86bbfe9d579fe829c7cceb1406105546799542c954578512d08f19ef89733336aa21b66e7c883c2260a3425251f1b81234962416294c56

C:\Users\Admin\AppData\Local\Temp\CEEG.exe

MD5 fd13d6948a7b99812dac46a2d416998a
SHA1 b881ef46cfcf1489e73edfecc43df90b692aab84
SHA256 1a081191c17dc8d3e6753f083d10b2c92de78e34bf52275e27577aabf8917020
SHA512 d0175721cd296a93d09eb2c7744cf35d8d7e601922165fa19c5331b6e982c4dbbd7a71a001c4e585542726bb38281801d25a7c143e3ba093a1964fd7e48f0566

C:\Users\Admin\AppData\Local\Temp\wEEY.exe

MD5 378e66d6dc702aa6e1fd134dd49d4468
SHA1 da21efefd0ddafc6de48f992ed9f0ef6f76d6b87
SHA256 4297baa274f7c3571e9190ecb0506fac80e9a00f9e76cfaf1c71fc587ea1cafc
SHA512 67d4b735527ced076aaa61edff23440a410543a3f281804eee61a396d956de950b1f0630bd50a7d8db80fe6cd09d959f42106e2d1c2a0f99364c83f055221f6f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 61929bfbb41871a3c0e4da0839777768
SHA1 256505cdf33aef7e4d75ac8e64ba9040d9d78a9e
SHA256 ab18f75d0cc51444a909bdd7a9b52840f6779bd6ea46fe08bff4b784d676cd79
SHA512 eae34627a086bf09b814a1063adda61c06a7dfc7aa37d28d06f6c14e5fbdaf3b1c109f74f213536866cbfd71fb27ffdb50a669f885f90494d5960743e3d278c4

C:\Users\Admin\AppData\Local\Temp\xUEYwkEY.bat

MD5 d05d3e4538e0cfb93f08627a9febf368
SHA1 216db92b4288dc8b056290a36bb954680451d18b
SHA256 a8a1f7eab482d0c563d7db26d3af4d64edfb723b0702f3697bd6d1351d012676
SHA512 5f063ef5a3997975e5549f4b6e294576ccdfae1e246ffe26fe272bf2198b796dee7599e550891c1c55efc284534a43da5324da37ce8111c79d5a3c1774e17a37

C:\Users\Admin\AppData\Local\Temp\ysgE.exe

MD5 a882712134a4a606907e152ea296d583
SHA1 4836c294872743cf46da904b94ba1f1de3ec68fa
SHA256 e92b76e0efec8f74b14e1c835ece7382644bcd2e8709805f911d2827c0db157e
SHA512 14814ad15659d5a874246a3847f25a9dd72fd0466661078dc6b48be6b974b0305e2acdf300750ad78c481c46121b19c30e4fb86c023c95643816cdc5d2a7fe8e

C:\Users\Admin\AppData\Local\Temp\zSwIUIoA.bat

MD5 44d45b9af05535a5ed91e700f3a197cd
SHA1 f54448f69ccc8ff944f53b309c4e8ccfa41b9b8c
SHA256 685512bd1296c8608f80a23d1d8bb496274a24a10f8d929d1e3a81aea4a7b69d
SHA512 ee4a7a43aa58ace7e4ad6b6a9112c6bd0c2d666412ce0bdb8e956c1cd2e322f023966df9a3433131e0add34f61c94067e35051b593f464107d48562d1ec0141b

C:\Users\Admin\AppData\Local\Temp\fekUYUQs.bat

MD5 3a75010405f72ccfa652ad4f5c33bff2
SHA1 f79150d34bea725dd6b7536fa99ef99dd88d550a
SHA256 024e9bcef9221722607905c60ccac6c2e7df2a8ac3663ae57ae65a0479912594
SHA512 d49b50cfb0206a0215bbc2f60e09dfd4d7453431f2351db27d216163842d4a84692b3f8a8c530fb09ad3e012dbb55a29d533e24572e1a960e0e4f6d25ed43a5f

C:\Users\Admin\AppData\Local\Temp\GsAw.exe

MD5 641871f0f80683f0930ecf7b31f5d7a9
SHA1 c3f7f71139d038305fd55fe5c076561c3b91cf72
SHA256 819ab7357e66b296213c84e0dd8acd38737d1444af2a92c68020fe3a1a169f90
SHA512 6ce51225549312ebff0e52168369bb2f5e0309483c35f5fd8df9e80c7f9839e330ce2eb7a3bf252e33ad7393a37264689b0033fc75ea0bca2a6b2b953b553d70

C:\Users\Admin\AppData\Local\Temp\aIEM.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\KgII.exe

MD5 e3fcf72072422b94b4269ed4e9490ea2
SHA1 6e5d45d93f1830b27564088d166947d24a84670d
SHA256 550318e4c0a719ac1f59238ec6a28825f7ae9a5a7a2a0629ae78701883f29391
SHA512 8b8252392e947085fdffa86e0d579be45d9318b643331dd163cda224e27b1009e50ba17096d99f545c52aff7789f0494f02d1a41361d82302f70f3580506693f

C:\Users\Admin\AppData\Local\Temp\asMYccME.bat

MD5 1423b497c35563a0a8d233be9541d16b
SHA1 5ce4cb4e9a8d6c1a7c7eb71d6e0f0c93e87e6930
SHA256 692fdf160004b83e14804edba1c9c8b02ef8c85efc547d0855315cd939925ad2
SHA512 1fdc9244aefd26930f3c89d8d45d95f7f0257785544df4ca177927c3e1482e9845184471e7748d55aa24f9db9ab6013aee0088ff9aef62a6c904fe27b0e9b9ef

C:\Users\Admin\AppData\Local\Temp\mwEC.exe

MD5 457c56c7cf74d45a501709cd49f2e3a7
SHA1 0b9b11d42dd99c2859dbe184887c8f6b09eb86ca
SHA256 aec090a18f3f7002d324bc94533a8cd150f265fe8af3e2275013cfa5dbe4a57b
SHA512 aad57ee8170c04c4b231502b122ae2ee3e4a5bb2f63a262505dcd8813b6876a9c1de998e803e89962cbaf3f34850e6b54bdab39ab9325ac74af0c48ce2fef74f

C:\Users\Admin\AppData\Local\Temp\UcYQ.exe

MD5 2a5bc8a5554cf5f27b9b886bc3225722
SHA1 5159edadb451bd6e2f82c118d3a2fb822fc7bca8
SHA256 35cac03c363031b8a0ef773283f750b42f74d9baaee0812799d8419c52d7a20a
SHA512 7216e3b6425ba5ae9229ffc7185fb300d33bfe7bad317826a5372e55d7cbe8cc321de3a838c2f3a3c45754bc38ad2949241995e672673273f58cc87d775e498a

C:\Users\Admin\AppData\Local\Temp\sIoa.exe

MD5 6224847788bf923e8f13e431f76069f1
SHA1 496bbf3291d2ef19788c28057da4ead19341bbc4
SHA256 9d520f7df5d48ca986464a8bb560c76513ea5553d2b0150e3ab23b60e3d04f6c
SHA512 e51f7494a7ab7e94470e32e287e5a51ffaf271d5b8c66aef70c96b7b00fcede4760894092c126a6bf304db2aa518428e39cc2e12f2bd39a46fa346f7887be1ed

C:\Users\Admin\AppData\Local\Temp\KssI.exe

MD5 2be08f7b38f43c455a4ff9cbb748481a
SHA1 fdd43ecf81e3bb7762fd10ddac89fb2556df1457
SHA256 0cdad5cf159395607f4a806a07038fb4e5c5ba33de9c7e6602273b2861d48c5d
SHA512 002b58caf6d5ec30518a3a48455ae14baeea50ba0043323c25803f00c1c464aaeac5624a6a7dc9f0abb5e70ef357860561bf97f148f3af20bfc8a95dd0460110

C:\Users\Admin\AppData\Local\Temp\WkYi.exe

MD5 8f7beec88709a9f7e4df2b8e2682698f
SHA1 e817b9e0e5d52a551fb8dc02a4d00d66e2e1efe1
SHA256 6f31349618471684e6c5fc2d233f70d1cc8551fd4019410804ad14a298ab44db
SHA512 a622a298cc268d9b7e30b812ed6d2bb9bc5e94afb701341272167e133d139551d5c8d939dad8598a3b2970487bd49d4df0b720dd1a011fc3512af6576b648414

C:\Users\Admin\AppData\Local\Temp\mOMYEgMo.bat

MD5 335bf635d1b8376d1975e371c7831eb3
SHA1 4941a04cd7a91e48d47c217abdbc0ef2af5f617b
SHA256 3bd3db9a8b1ae99972e42a64e3169dac3466de23075daaf36ff898a64a8b1a7f
SHA512 2765e1857725386fd3e0e282872e875e954cbe8f78407d40f9c054ac66e5755aeae485f3afe056cb16551d07951f845953a2c53017e85a40c53a92ab70a8410b

C:\Users\Admin\AppData\Local\Temp\OgoK.exe

MD5 9927d6dec2eb15c2ed9916480f7e8e3e
SHA1 7e44ccaa950a9a81844042e9553a41bfe1fafc70
SHA256 4674b6932889ce511f29af17b80b64b6e8befcddc60baa727b40a1b208d09dea
SHA512 006b23cbea7f1e26d4e5fd4330333b3321418bc019428c8b120f066b1fe8a4c44211343cea7221c5ff768d699090f1d4b99e9fa0e0999d9d8dfb6be4059e5a9b

C:\Users\Admin\AppData\Local\Temp\ykUU.exe

MD5 98738d37bf5ec11427b7d86e035023a7
SHA1 1f3cfa063d3bd5ea156b038099f114eeb2a8f006
SHA256 3e0aa4f3fd2e2925f799e7c9057b93f4845e7e8e608be3f5b532997a20ede371
SHA512 2918f0b544db403697ae3f7f0e3c26bb1bd16f7f9812be525155cdec1ac367e9fd9d83a917f57340f4902a2b141d58be0c3f144ace2dee6b5b424583e7e91bcf

C:\Users\Admin\AppData\Local\Temp\sIIc.exe

MD5 494149fe649bd148b41102d58d0f1640
SHA1 bb25b0424cc59dfd42afe7f5a65112c6d2aa5dae
SHA256 a91659139190261dcd4825efae9b489ab7375c8103ad7b4f4632399f36644c28
SHA512 7b1b6a43623e799095badd582a3fded2885851232d6ec88f678bac0f95e34cb497ecdc9c23046be6edd7bd81a65a7152d855d1f79356accd360c78d1a85568d8

C:\Users\Admin\AppData\Local\Temp\mkwm.exe

MD5 c795877ded4f73c2d06582ad68540269
SHA1 7f1d52487bbafb3fda621c8f3831f9a56d01d638
SHA256 d896076c591fba2306e74ece40f2b3504d7ae82516ab3bc2b10e0bf39d80a6bd
SHA512 1d1b04e4facc038d2a12d50ddc699a5ce991e29b05d692bc0d3612988fefdf6f44e7966984d97904cb86e2077a2ff8caec081d645d833c41cf39feeec1abbd9c

C:\Users\Admin\AppData\Local\Temp\yIAMscUw.bat

MD5 a87444e96364386118c08c31f87809b6
SHA1 f31457730890500cc3d8dcb448a5120b0e964e62
SHA256 2865bb14a0ccd11dd11b1100677724e1e16dbac1a23068593847fa9d59ffd2b9
SHA512 7442616b1ecce62834ddc3e3106a20eab00516e5d05935153db35282d9a0491ca55445b8f58164b62782843ee24664cb133bf71ee9a1b2f61693218e1d34623d

C:\Users\Admin\AppData\Local\Temp\fsEskkoY.bat

MD5 e8c1790035fb17f4fbf033874a13e781
SHA1 aa63c9e48434591e486ee4a341cbc3d6a6c5fa55
SHA256 9ea027e52ed701578ceb781fc37018f0a8b9f9b673acbf5456d6feba4b9c4f65
SHA512 b10843bb0bd67d872845d331c195f30793c28371bd0fef22d52b859f8d9ca8dccccfc4a0bdbe295ab90a55c89a0c759fdcee90711bcfbb3b5ea2c94e06ddee41

C:\Users\Admin\AppData\Local\Temp\VeowkkwI.bat

MD5 d1f92c03e2018d7621c8d564d20cd3d6
SHA1 725ea0ef9c54b89a57dbdb3fec9941a42d3244ef
SHA256 2606c189e72af59cc1bb5259eb2e7a296dd03c605e83c1a5bb8ca36e02019b3c
SHA512 9cd61c46e0f16d521b4fc39f337884a877d9b9f754b62929996abeca4ab07b26a45a39ee7b4f2c5b5c3c2b3274516905001041034da9b75500728ef8e9e53dcb

C:\Users\Admin\AppData\Local\Temp\jaggYsoc.bat

MD5 ecfa1dd6e7168aa01e97be335b56fab5
SHA1 8735bf96f4f8da2507171e4a7406f421bec9212c
SHA256 1b087727f90128f35c6084dba1b04e23d178abecf3ba77cdc6ecc68b746dcee3
SHA512 961dfc5333398c05df0b2ee60035de92c26b864705eb3a7e7c7bd9300985fb71ca369e56687240833460877b5c44cbb03f4cdb6432d1bafbe630e0bfe9a56d05

C:\Users\Admin\AppData\Local\Temp\PKkwgAgI.bat

MD5 53d5d43aff8521619ba727f83be2efd4
SHA1 66b58a57281933f3f53f443b08ed5209b5b98690
SHA256 64881f1cc94b9839a2b06dc1a0afb317c80a336022a6fc154dcbec72ae1a9a32
SHA512 ef22845866d8f854f47c9e893a8f2e1065b77c1457fbba62320e960fd9fbb475f5e03048ccd3354f16e19b5fffb72aa314e0036bcfc5293000e3df5e81f55d6a

C:\Users\Admin\AppData\Local\Temp\OYgYQsUQ.bat

MD5 c523f841e08bf1cfdc8a546a6f5d3bcf
SHA1 19aa2ffe48842c28c120b68e4c18ae1725994154
SHA256 9c3f69dac251225cf03112b825a108869050e44ae4dec84dc4503bb787522d22
SHA512 bc43c08a2e758a9b9bb04a7553e69b12de36b49e6cdf25237f8e0351b1b4b850a01255cdde7d3abb0a1b0309cecc7ebaa2ed2b354178c30eca003005bad3fce6

C:\Users\Admin\AppData\Local\Temp\AawoQUIs.bat

MD5 fa059bf8b28496e16debf5eef5ad1d7c
SHA1 898e750ec50b3350769c3e4952bad1130b47f825
SHA256 9d6fba1a7acf0701bfa061b3b58dcfdc8108a03418a976e6ac9086157dbe6577
SHA512 fd862cbd2428b1f9331432a7777fda90ffc5a1cbf70ba4d6185a1bde3c89119a74baeda1c9c7ee17981e2bd17ce9a0313848ed3e4e7f1cfc50fee4b1847fc0d2

C:\Users\Admin\AppData\Local\Temp\iEgUUwwc.bat

MD5 441ca69051b7d97341874fd2e8c987de
SHA1 29b48b2b4b0c4888583d29ff90ca4e6ada408cbd
SHA256 d4d3991e2b982077559dc60e1337f951e47cb4ef600709d94de207d37e507251
SHA512 153564e803b894a182db9367c8cf7514453743b5e1ebb4359472d57e5393219aa4c24ebfca46112804ac7b519eb1c4174dbe3fef3007c1e136bc90cb7033264a

C:\Users\Admin\AppData\Local\Temp\AOkIEgwA.bat

MD5 803f3ccca5e6cd266775316821bab02c
SHA1 380640835d27bd69685d565bdd6a05cc75e577a1
SHA256 46fd7d43c4d90ff2a507dceca099efc6929fe40ce1d71cbd4af3980cf818a61f
SHA512 bf1d14814963bb1523373dca6a9f6a2e757c003c8648045b8f7b69b85b6ae8bd465a26d6f9a4786e2929b40fef107a6cb214b943a7420302e1907fdcd1912d34

C:\Users\Admin\AppData\Local\Temp\qqAAsocI.bat

MD5 fe0d5b1da817966bbe524abed2e21743
SHA1 fd8c65221d5078c846c8b81a184f522c663c7b7c
SHA256 15ce6f05768e04cb0c99a5ad50c7e5905cbf129dcdd0cada3b5ec0ac561ca1c7
SHA512 8019cfe53e22d3d99deeffd9a37871429e3d38ad18bb508dce7c3f8bfd5d8d48338e27ff8c4d494ee89062f22783c84bab42cb4fa3602bacc68a2cc22d064a93

C:\Users\Admin\AppData\Local\Temp\JUwokcAo.bat

MD5 57b50ad203938ab5121eb309bb66a9a9
SHA1 7eea82bdc33d07fca038e890d6db61583f518a73
SHA256 cf08c6b37336c6c1b1cdbc1e101799f71833d4f81abfbbbfc320b50a67518a79
SHA512 91cc5d22a44eb85022ace3be87f952db490b4105d95b53688f31ae3d28d98aa13468d92b7224fe2b9fea5086380980d3359905706f88d51384cf07c0b6c46501

C:\Users\Admin\AppData\Local\Temp\JKcskkYI.bat

MD5 79756a023e9b112bb51b013e5fd3d4de
SHA1 c6ae4f718cf494f233e0d4fe5d9bfeb88a52d6be
SHA256 adc32c46e03674fef1000f7a1beeab68f98371a8e6d42d69165dd52e541ab6bc
SHA512 966ef5bf6f6c79a027ef873e6ea6bc5c5b90af66b9034a07dca9f7f40df5f168dbbf6986d8527f7ca546ea198ff372832585e586ffb28d1c96527be333f2498c

C:\Users\Admin\AppData\Local\Temp\NsYwAwgU.bat

MD5 69e36ad5b7f22189bf114a3e16d73a54
SHA1 a26b27b2633c82dad8868f554cf857003d28415e
SHA256 88c8b48181d6739fd06570dc8788cade9be286be6745b406f24c8f29957de05c
SHA512 50170514361e3e460f83644992d4ac5c21bd100eabfbbfa4c9b799ba34190e20a400e77bfd1be8589b3d3f3be6a1252db18730e1f1b5b0f7c26175c2324bef3b

C:\Users\Admin\AppData\Local\Temp\lMkMMcYE.bat

MD5 fb4e7d41e43c8a536fff0ec1b75880e8
SHA1 164decb7f538009462c5a729ce03e6d357bf925d
SHA256 41ab5233bad67bd2e47e340ba84163a075dcc3c3bc9542944cf850c32a094b6e
SHA512 7801d8d56f74481b7ae138fcc54c1a75ef0c87ec33ee585258eb4104b0a00bf8fc922714c834c3fb252ea239fd0a95897278fc2444b40947bcd12b24c43724fd

C:\Users\Admin\AppData\Local\Temp\fsQgsMgA.bat

MD5 1e1799df0aee84159f261976e6ec7c88
SHA1 de48aab8392ad7ebeee3620803f5365f28bd59cf
SHA256 b6b6dc277dbd75f5b9080f3a08b68e661d39964e9e6cb424c10742a99196c308
SHA512 59321427d16fa24beecb06f1a31d668c44aee003d12ba40c85d6cef12bc1b45d28c1db1b7a095bab08cfcec9c49a2af7040d6efdf1d2f9eb82f5308b49bbde6a

C:\Users\Admin\AppData\Local\Temp\gWwccYsA.bat

MD5 3dcc9da207b62008b61597a66fbf8f5d
SHA1 194d42007c5de14b7637a29cbc71b78b5922b7c7
SHA256 651d2f78bfc46ddf68743319ec1e62e0944d480add10a3ad631ca13a09b7fdb3
SHA512 d0e1bcffd5af66edaf82629d77ee3d8015bdcd6b6c6bf05a282a32d3df7492f93cd02f2c80769b53ee6aa1fb7686c3b3976dd651904740fcd3d2c11d7763cebf

C:\Users\Admin\AppData\Local\Temp\UkEkQwow.bat

MD5 a6fa53890869a0daa2a7d9126506e8d9
SHA1 decf56d6781796763edfad38db3dbfd7dfdf36d4
SHA256 293de2421b71a7e88c10b063bfed2cdbf4e0c2179e04a42ff20cba369c57b37c
SHA512 f6414f501e76efc9ccb4aa242c9be0a307c766039a034ec82f4cf77f88debc79bda4c6d129caf4903f4af58b2f877757ce578abd3aebaeb089f066ae29f2f9de

C:\Users\Admin\AppData\Local\Temp\mUcYYAQc.bat

MD5 651f6edcf8940ec4093a18728aa3259b
SHA1 8f55c7e67285b45194b621f7d554788a1e92b4bd
SHA256 b674fe1cda1f7bd401da019981095ae85d046c71c4862081914af7b0561227cc
SHA512 07ce0585385512dc93bdfad7799d9c22b0dd4138649cf8fbda3a185951f839152e8c3b33190eaf09252c09913e7404cd6045e38e1e109617173e2f4176a8de82

C:\Users\Admin\AppData\Local\Temp\ayAIMMoc.bat

MD5 14fd17ab8148916c6aa463c93994463c
SHA1 7f51f6b1835891dbdb48b1209823f81f7c2fa026
SHA256 8cc895bdfa6642da27f299467835b3ec23219416f2c952f8a2ce2fd6c285ade6
SHA512 f8bbee7ff778537e37724742caa0ee9716a01376e017b5dd6aaa067afc804ca8e8963a8b6e023d42c5db9bd69ed2bdd0087f95e9971d801419f1d727b6828ac1

C:\Users\Admin\AppData\Local\Temp\QKUoEMEQ.bat

MD5 0c1225442e20a36cf2f5882583cf5ecb
SHA1 7c0f0152f0d9dacb5ba64a998138395ce3b41ef9
SHA256 2f47eab7640d9667be0ff140850d18501f4a7671d0e265f9ca645111b7f17c60
SHA512 976e06867bdada42c61eadd9eec82f6cdd7de3847e0d4f1562ba71d28594b20b0abe5bf76d796db128014ad894bb4c455ad4b106d66b049effab256aa96c6c02

C:\Users\Admin\AppData\Local\Temp\JckUwMoA.bat

MD5 ac4f2693dc63a6310e59bba1dd43c727
SHA1 731040733a074de40ed41fd518becdb23d246833
SHA256 843b7733c098dfb16aa1492080c170ca6c907c192c08d5197410f0aadcd827ef
SHA512 ba6c5cd3731a353782c40cb4d01a5d5f932464058408d2e3ae799cb3f8787ce9fd8005b5476d03b014c0c37a86bbcc1d4a2d430979d58c37e26d86cdf32931de

C:\Users\Admin\AppData\Local\Temp\NkgwMUsY.bat

MD5 4bf4c0807521edafc2fd00a849e7ea7f
SHA1 ee261ec02172c94787dc39ea331ef67b9c1d1465
SHA256 434d786a6e21cbe9545838decc7c1380cd83696765d707a115eb30785534f12a
SHA512 de0c181b2533d5d6584fff20bb69fece478df6612662d97b777a5176d4dcb4d2a6876c605d221bdf8288c97ef49b316eb36ad2c4890a4d827ecaa20601355a7b

C:\Users\Admin\AppData\Local\Temp\XasYEQAE.bat

MD5 a7aa9e280dbcb60d1f3652d91417f7fc
SHA1 9d9e4f95a518d82cc1a44f87081ae1b47dd961ae
SHA256 20288625f8650f263c61b0afbe7a51f441e638bb03305fbe962f36dbf1086e51
SHA512 d7810fdbbe00f2b76158f87dbb7413cfae733202eb566a634092c5b05f0ddf983c44435c15e022a73ac054114eb5b88be15f17253e5cf5b8ead7926fcf74badc

C:\Users\Admin\AppData\Local\Temp\XyMAUoMk.bat

MD5 1c0cb56f2f2ff6ad80a3b5929fb91626
SHA1 7501b55ab1ded389c4b4159b4ff22f4b250c8c09
SHA256 acd4dbe5385649847fdd4dd001cdcfb077686ddd81ce74ffb803d3ba5760f1cf
SHA512 8c4b536d5927665aa16c4b1f9ba5387e30dec6ecfea82cc1a6fa0ad7fbc34b9df0fe14b758e469a97f45a8512b43448764e0dde59f98983f6423280a4bdb7aab

C:\Users\Admin\AppData\Local\Temp\uuMUsogc.bat

MD5 5965810c2e1eede6715f9a75acc9b1a2
SHA1 1ca685397fda71baa968193301829ae8f9dbd374
SHA256 a939896a391641e74ab055401c8d2b9358189e2d27dfa2b1d75660a116a9c279
SHA512 f638c5b81595c82c969886140c1689e5950e79b6544f5444586f995132d800a55b5e76d93993af6caef5612eab12e07509a66b2a3429b8590462f7547449f9b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:59

Reported

2024-10-16 18:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\ProgramData\qAcsYMwY\VaMwEgso.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAMQoUAs.exe = "C:\\Users\\Admin\\ockAcUMI\\cAMQoUAs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VaMwEgso.exe = "C:\\ProgramData\\qAcsYMwY\\VaMwEgso.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAMQoUAs.exe = "C:\\Users\\Admin\\ockAcUMI\\cAMQoUAs.exe" C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VaMwEgso.exe = "C:\\ProgramData\\qAcsYMwY\\VaMwEgso.exe" C:\ProgramData\qAcsYMwY\VaMwEgso.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A
N/A N/A C:\Users\Admin\ockAcUMI\cAMQoUAs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\ockAcUMI\cAMQoUAs.exe
PID 4676 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\ockAcUMI\cAMQoUAs.exe
PID 4676 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Users\Admin\ockAcUMI\cAMQoUAs.exe
PID 4676 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\qAcsYMwY\VaMwEgso.exe
PID 4676 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\qAcsYMwY\VaMwEgso.exe
PID 4676 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\ProgramData\qAcsYMwY\VaMwEgso.exe
PID 4676 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 4936 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 4936 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 5052 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5052 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5052 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2412 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 2412 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 5108 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2480 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2480 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1836 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 872 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 872 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
PID 1836 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"

C:\Users\Admin\ockAcUMI\cAMQoUAs.exe

"C:\Users\Admin\ockAcUMI\cAMQoUAs.exe"

C:\ProgramData\qAcsYMwY\VaMwEgso.exe

"C:\ProgramData\qAcsYMwY\VaMwEgso.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQkIwAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWAUkQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsEcQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diAgYIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKoQMAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JisAMQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUIEAMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kskokYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osQYkMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwMggwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAUcoMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgMIAYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSgsUEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUAkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkMcUUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeMIYUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yysUYoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouIMggoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQskMAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwcYwYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyoQgocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGoMgwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoAEkUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoAgAMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOEcYQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwgYMIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqAAgoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKcscEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsAUcsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQsEwUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XccYcMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMEcQQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKkIsYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcgMIAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwYkgUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkYgscAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zakwEcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiEEoUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmkkkoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEAUQccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggUMIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mesAwUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOcgQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIsIIgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeIQAgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgAwMIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWoswkEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwwkQEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKMUQcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSYkQUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAQYEYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMIQUUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwkQIsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYIcsUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMgwQksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoUgoogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMAkgQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RigEgsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsggYUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqksAoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSgEUkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YugIgEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYEkcQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGEwcoEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XisUQIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LycsYwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYIMsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCwkgEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeIkUooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsEYAcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUYMUAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMcQQoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaEEQcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyIcUQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOUIkMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaAUMQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIEYoUYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWYQEkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQocwYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMEQoscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQEwsIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQgsIIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMAEEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqcQYEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWIcIsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEwAYMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUsIwQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yccMQsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgwQogMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeMsockM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMUQEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSQwIEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUAgwkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeEoUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osYkIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqoQAUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcAsEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsUwIgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4676-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\ockAcUMI\cAMQoUAs.exe

MD5 e667f2cebb2eaa89069d9ec8a55457b5
SHA1 775b84a913d2ff2fa38926d694c0007ba802da94
SHA256 50e3cf29a6d421a559502258e76cd51dfea9a18f37461a4e1fd6930e766487ee
SHA512 dedc6a92e03453df687c35f7e0924e6fd192f577d2b00c57ec69bb399339c96a045d4fae7b6b741da49031d26045f2bf5235fa180df54c8b685b8ce4ce070a87

memory/4052-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\qAcsYMwY\VaMwEgso.exe

MD5 d31e8a9bcd80f8f7e8946c3ecc6185c4
SHA1 0efab7a9712c87c61db68e8560718c01393a85b8
SHA256 620d52131cf6dae7ffc915839a98a52416c5327ca2bb0641b95b982bc12c6204
SHA512 33ebedd4b995d067dcfa7c0e1ef9d805f46083377fec0ef697522891233a7659e7a7459a49d92ee1585f4b52a1a73347e77c20cd679a71ffefe6ce4f3f183d40

memory/4156-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4676-19-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GQkIwAUE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock

MD5 88fdf033287a0bbe808f238d33ee612f
SHA1 83707d74209a0bb1db0c4f1f195386e1893a94aa
SHA256 e2db76506487923da33011355eae311c48edd74fcf1347cd968266de86ad9e1c
SHA512 95e192483a9279b0a92d0aa00e742c0d48d5d621ad63fb6e7c107c189f43d29c4d7713e98c237a782e595a0db662d42c9315c69452a3482c50e62300a2448f93

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5108-30-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1836-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1384-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3012-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4872-74-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4604-85-0x0000000000400000-0x000000000041F000-memory.dmp

memory/648-96-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3116-107-0x0000000000400000-0x000000000041F000-memory.dmp

memory/944-118-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3520-129-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4464-130-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4464-141-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2220-152-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4704-160-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-164-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5048-172-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4704-176-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5048-187-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3456-198-0x0000000000400000-0x000000000041F000-memory.dmp

memory/216-209-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2304-220-0x0000000000400000-0x000000000041F000-memory.dmp

memory/676-231-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4272-242-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1044-250-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4592-258-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3128-266-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1448-274-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3964-276-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3964-283-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2008-291-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3268-299-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3512-300-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3512-308-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3680-309-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3680-317-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2220-325-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1776-327-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1776-334-0x0000000000400000-0x000000000041F000-memory.dmp

memory/636-335-0x0000000000400000-0x000000000041F000-memory.dmp

memory/636-343-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4272-351-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4904-359-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1428-367-0x0000000000400000-0x000000000041F000-memory.dmp

memory/412-375-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4952-383-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4072-391-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3756-393-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3756-400-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5016-408-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-413-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3408-417-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-425-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2612-433-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1360-441-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2992-442-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2992-450-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4596-451-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4596-459-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3896-467-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAwg.exe

MD5 61b87c656628e6ab05094feb52dda945
SHA1 f8d2d6060e52559552eaea203249e27383748e88
SHA256 78a344c2456c3a1c768742a98becdd18bf24f8639fecfc54bc937ab7127308e3
SHA512 07eb8674f1f78eb8fe1a8685a48456ce03ab3a291278bb44feba2bf0690fb71d18b0214bc6a1ef5e296361b2219ae388ede1920e6b111b2de8c79787a0cddcc6

memory/3448-490-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIgW.exe

MD5 a4a8bda58cb32f23df30afd43675c4f0
SHA1 2c897aaf833ae9d85d4e6a6262bbacee84cafe1e
SHA256 c100bcdf1573e73d8c8bdb87c0b8a46a1f9c0e5e488324336efd0c6672186f49
SHA512 397e5e833ecf37ccddb9ec17f69dd92c65998e5dfffef0e8311b9681b617bb1be47a03f1d594368e1900557e29de9245db61bf351f41acf104da370f34203127

memory/772-525-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2668-526-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wwca.exe

MD5 d5b168f1dff725d120f1ea95f7d2702e
SHA1 857565ab7badbca745ed1b91145eb9b4909c6a69
SHA256 3a4d9ffa93b87c35ba0da1721d412d39983709a51817937b45768aab2ac5154d
SHA512 4a74e16bd9bf87d2e53bbbe624687c83ea508f40575b21f9ee2acb540fd9981d671d6c5926ba788da506dc346859675c9753c60ba622a8e45ce32616170d9adc

C:\Users\Admin\AppData\Local\Temp\MEsS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\sswk.exe

MD5 c3964c8a7cda8105b4bb71c48f23e78e
SHA1 47bbc163b23aa1f2548c20d7f20074dbae757241
SHA256 21d115eabad7495523ce06cf82b246c7c7164d63b2d5e6d5a93af96111ffbaf9
SHA512 336774e65e1d12d8102439283ed08efae6fa2bac0b105be36ae6b2f45d62f24ef3b118ef8e1d793d13aac6a8528d0d3bbd5924254f745b52173b7cea9895a85f

C:\Users\Admin\AppData\Local\Temp\akkI.exe

MD5 14876f237f88fffa942a8e441f5c4417
SHA1 0a3bc4bd2ed156cea2b01bff6e30d695d5f3ecb2
SHA256 ef08db8c970c9dce571b80a4de148670c10597f381c3487dc2a1c80f5ccc0e40
SHA512 7b0f26f53a1edb5f1f2f66824acfcbe77fca040dcf60542b869a6ea0709582f6da92c2307dfb62284c856e93d548acd3e4e1db78f10b0471264047aeb69e4039

C:\Users\Admin\AppData\Local\Temp\eYAs.exe

MD5 b6c46a3095844e54ffdbd140e3afd78f
SHA1 7524d26a92aee38c6cbd7712caac7ee68eb09686
SHA256 8c574e3564ccc53ee1620320e96750953c7806819ad7d717adbc1a03f5dbaca2
SHA512 61dbeb914e6acbd291f172a86a618f3f34a1eea0d62df6244003bd262176fcd755fd24a2133c876153a3549a7a6c48512a91466fa8ea14cb42ebee46374f59b1

C:\Users\Admin\AppData\Local\Temp\gAca.exe

MD5 65a6d0583737379e94f5e2d8607cdf2f
SHA1 762d3ea439c9a8eb06fffef8c2d282d175efe69a
SHA256 29c0e5f4f438d1460f8bbbbbfd3f44841be77b4024191d23300befdb830d79e5
SHA512 a1d76837235932777292b433ce4244435b299fc6fcd6cb76ba39767ca60437801642b1619880599e5cec8de89cd784e312122a2857d9d5c118ea4d42d0c314dd

memory/2668-590-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kAYO.exe

MD5 92c51c2132cdeb2365058fef571ea35b
SHA1 730dfd58121c3bd4a8b90c73726329feebcf8edf
SHA256 213926e53f77455ddd5fa279601444bae1de0eab4bd0c389fbf2f1c9f38533c9
SHA512 213654fb9d4970a03e633aa00041fa97523ec99379796cd0252c2dd8470c602cdf70abdc372d4843a6e257d96f2572cb6b8ced0136558e6a56f80128ebb5ac2f

C:\Users\Admin\AppData\Local\Temp\uQgU.exe

MD5 df92cdbd8951d28f49f9c2736e69a980
SHA1 def6a3437a3aa4b2a915be0a6fb93b6e2464c2da
SHA256 be397c3ff8afa16749e2b3d97388ee74866e683e8b6101e0a0d3272bbed9a342
SHA512 3447940d3bbe8951df49ea76035f6e31737d5665d12e92c9b5de1ec3f5521b66d0affe0bd4ee7025340cc5f305e65ba3b9099c71b0ccfcb0eee92cc7d88e96a2

C:\Users\Admin\AppData\Local\Temp\UoQW.exe

MD5 97527a8a5fe5dd0de878b26dcde04e92
SHA1 6e8e281e999e1e5db692f565cfdae287e50b105b
SHA256 49c74d9b8603f10a28f761712720d960080a57e6bb2b00cae00ed2c8f1372e37
SHA512 a7119bd6c04a59ed9f7e352c813e13c9c93f377b3d83978e54ea7f9cfbad35ca1a4549e0c6ebcf9af23a93d9c7b3e128ce7a60c2cac091758c0ce8e97c0fa285

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 cb1d8f75521594c05a0f5c3c4a2d3a30
SHA1 0950d2c95488a576ded08ab211c6dd293b6425c0
SHA256 c2f63d94d6fbf278351402f92d9e69dd5948e4b13ebd5e40d6a55bddb17a1174
SHA512 7e46b296f783842a8f5225151910a07f065d7761783003106bf8c172af78caec0f70df3defc949e6f6892b0dd9a3417d4415eed1a54e193ad79ea60ec42be8af

memory/1492-654-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQQM.exe

MD5 ceecf0ba45b307092f8c7203e63f3a5d
SHA1 82899c261168a23ddb478013fabe7e8218c8824f
SHA256 a32e9a7d770db006a6912c68be0ad865340036136900d2c102ae0e21228c13bb
SHA512 1ce7924239d9a55743c02f64e992094f8c29117a3f6bd807e2126164f1f9da5881bd41bc5d12eb3e3ff88595612a8b927314c8b5f03d0a38292ba36ce1df70d0

memory/1840-669-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AYQy.exe

MD5 f4c4f5e8e9cce5fc1b6bde1b8310b94f
SHA1 34004af76f6f1341b71b9b343ae158a205f398a3
SHA256 ca1e17b0f71b58e1256b3041f854c72f5191cb8d10827348797208dcf82cf24a
SHA512 4a41e56e57d29e29a2ddd9f28d447fe432b139a87f6b77f75c5cd6b7f2df5d9522cd7336cad408ffe459f04c10e7e2c3df99c22576e8a1167cdefd5fe2581cc0

C:\Users\Admin\AppData\Local\Temp\ooMg.exe

MD5 86b729db60623f713cd2b97a28edbb0f
SHA1 af1ee84953c1f8bfae9b8db22f2029cbf441ce2a
SHA256 c6e023d47a3aabd9c5d2862a1be0587ce6890c5d9b50cae3d2deacc769753273
SHA512 691307fe20ac3deea06ed8981aa4c1929267a79e7737713b8c1ea9698217084b88366be488b39782483800c64b584b9f73c472bdefe95802861b6d17a7e8e77e

C:\Users\Admin\AppData\Local\Temp\QAIk.exe

MD5 8d30ed51a6d05e99f4550876f9f5c503
SHA1 9aae1239543357557a17f0a414b04f5a53623139
SHA256 8c62c1a5ad525403e3f9006cf123ee658b62f786ece2e6496b3da2e90f5ff1eb
SHA512 2ff1aadf7842cde2c1a8569ac4a13e1173da17ea1604d8ad62583134f873c536cfec827328e9527de55d613dbc2d8f88de1fdc5f3d71790dfab68dbe036acd55

memory/1840-719-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoW.exe

MD5 981fa7f1a0ae6de52fb46bee25b718e5
SHA1 cf762948be36d9d7f03865fb5d3721f3cdc78831
SHA256 9712697d7f75ddc46cb039ee15744929cbf1e0deb94b8e7178732c26ade82eb0
SHA512 779f8108a3be9119c9fdaf08501f2ca9e05dd2e3e847e1ff743c92cea5a08ba7e28eddd8dc4fbe391ecfbd6d2be931445d0756a16f4ba5f5b35adb233852ba47

C:\Users\Admin\AppData\Local\Temp\sAcE.exe

MD5 dc134353f69f77cf8951763a6206f3cb
SHA1 a6b108174a707b85e1057539960cd01300959ac5
SHA256 8ff229a194a1b6f2322a3350623129fec7189d8d9d3c8889e72c6b5ac038229c
SHA512 6adae9e90b183e3f98380e5d979cdff08446b18becfcb23f81adc0d216895198b48f855ca6eb3cb9b95c48002192125b6689ce40d5a623c817c1f130bb8aeacc

C:\Users\Admin\AppData\Local\Temp\wkEe.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\UAMc.exe

MD5 455446eccaaee519a06c438d1b6d22ad
SHA1 e5664dab82f697e491446334ed21d353ba96dca6
SHA256 bf1e0c238d6e6388af70dfeb66f48a861c6c1182232a78dc0fd40a3a332f071d
SHA512 14c2d608781a2ed371ea848db3bf6343edc846780180d14ae472ac4d66a93ce377dd5d9c59e32483bbe1a2bb58b0f267670f2d9ddba2ce5252857238aae29673

C:\Users\Admin\AppData\Local\Temp\MgEu.exe

MD5 b8d39b5400ef5e0d54d2a5a5e34f014f
SHA1 38888b81663bc1032d36d7e81ae0c84c3217437b
SHA256 3529c509b8fa4e586f2aca225aa1685f3f232c28f20da3dcf3eb374f0ee67ce8
SHA512 4d2793b24f64c754ac52f7da4659df4fef79816fee58c5a39fc35280acb3b83e9bd4bf2a1ef9d01221a0045794ff95fea61fd008f0570a84d73438a1d93c5ff6

memory/2880-797-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iMoY.exe

MD5 d90af19b6594e02aa342cd3244f42f00
SHA1 59e1ae135d9c9b009723e4047cf42abcd666b3ea
SHA256 03f3ada70ca6c0771b2f7a71757462b5b249db42267f38f1f708c6bed6541fca
SHA512 455d071952735b46d428be3cb59eaa1c4c4774d27c09cb974edf22cc4c8334a906d2292ef6ee45cca327bf8b8878d17de36fcbbde1a492da3a7f7e38b43e6f6b

C:\Users\Admin\AppData\Local\Temp\OMwu.exe

MD5 2f106f1caa02d6f79866e20be6e3a2d2
SHA1 8823afc640fdf500b6d11fabbe250e886d4bbd05
SHA256 e3cb5d24c69dd7a0f353a95a8a629c7c7b8b89b4402e3d0b94287bd92eee8564
SHA512 93cbcc83102d24c563f1cdf0624c8d950694358720a418b81060e96daf05dc82a53fccf82776bb28b2b26f7cb040aee3e4a08adb3a6ea27a7d481f1b481f8ebe

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 5a7dd24bed212cd2f87548169656decf
SHA1 575da03995b599af577a53f71cdbfc3577ea523d
SHA256 05e0f9c2613a534faa295d64322487f9f4fac28f50a1a9b07d4e8a1881a53f97
SHA512 f80ea79f54ca6cfcdb940a7e9df04ac22464251dab5a99ec8582278d49a6bb9d85fc8fabfcc273174ac4113a0a1afcd1cbebdcad0f30af5e565ea1d35a26e50a

C:\Users\Admin\AppData\Local\Temp\ekQa.exe

MD5 1de675faa2959ba9692b336885643f0b
SHA1 51b8b462a1bc3fcb4dc8fdd4db5c72ec0b5f33d1
SHA256 ae9211a507cdf3580e5c70b48d5e19e0dc549bec0e8e2f6e1c04d01938044e83
SHA512 b32f8bf385feaaca00a59cb644d3cbdfc7b13952dc69809b950835ba6a6f7fd9083d372aa974889e577a6e4452d02236c35ebd0902c4de490c07ca41dc0f56c2

memory/4880-861-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IkoE.exe

MD5 ae07019504ab79c6c0a1ed19c8cbf049
SHA1 6e63db6f60fa1c72178e4dd02a3a4f2eea6e870c
SHA256 82ad92ebd66d1e2874a905cbf38fec3c91db9d88a9ec8f41a8be292dcdb302bf
SHA512 104548ea51a408f88fc14c9f02197f7febc96158456af3f857aa2fd0ec25ba8606db55d57c53e7160a22cf064925d746830b2feb623203bc0d05acfbf538fc16

C:\Users\Admin\AppData\Local\Temp\msYG.exe

MD5 81c9f4381bf0769b9bed7d88ab9c13aa
SHA1 8d349f92354e47994592abc86ca95da76dacc739
SHA256 1863f7b1209bd72660266412c3d66b8c25129006c1376b7a0858030b53c6e288
SHA512 19c3e8c10bafc144dd65285fc9e7b5e2ab2b0d5dd27110d3277b66623c07baa2712166d4c037012fd49e1916c400df2d5f310bdfc5192836b5e61bcfd3eaa539

C:\Users\Admin\AppData\Local\Temp\ioUo.exe

MD5 9983aa05a952f45f1bcd226cb3e1f16b
SHA1 665387b8ee260bf02da9e4f65884dddf87c430d1
SHA256 1a82c272a3e58599ee747cd25b75afbf7db8cf8ab11c66e81e72e72d97d1762d
SHA512 5d1baa51bb9efe7c6ece2a951115ed6c248837c6eb1db49d0a1815ddf517351524ad87dff0c9b65a8572dd2f4614f9bc8c91189a04a0ec1cfd013ad1fed5dafc

memory/3508-898-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sooI.exe

MD5 b251ae6353f094de6a74bdd6ce57952c
SHA1 fa2ccc49c849ceed515ae47b357dd43047991fcc
SHA256 ac36e94c82ea00532f542bdf419acd095fbbdc4d21cbc034a48809aa45ac4ff1
SHA512 d056db6d6176995438fb5bf0d5e5fda8b85af4193dc45386908886dd27e8c5706a47fb45372f36324603c74e044879b651b36baac5edd699539ae6930a09ec24

C:\Users\Admin\AppData\Local\Temp\cMEa.exe

MD5 e44ea0eefc663bcc377b8ae97ce6bfd6
SHA1 758fcea12d9102737040e91776051bb6b2d7c208
SHA256 0fe35df3e2f86ff77d4445212fb1a509aa9378f59ab3cc0f3ddbb371d35c2bc5
SHA512 04d0cfe08a7888d21d13e73dbdc8d93164b056262e13e7ab2306f0e0dde1b1e369fdc482a62da4d6848b58ed476b5bc86dbf20dab991d4c40f5a6737ebea8be1

C:\Users\Admin\AppData\Local\Temp\AgoA.exe

MD5 166b96179d7c1da2adb7dc613cf18b56
SHA1 a06485d660da93526b5b2d873b43e2ce96c76f46
SHA256 107a293b0eb64d524c4d3de68d455581ba852d4576c7b010a4a26739a8bb2d5c
SHA512 7539943f7abdc539135f14a2b5b44c99cc5b37a2ed054314a83844c655592e98c048fa502078f3bbcf449212331c2dc834c8d748cd79dd2c30abb46cd991a77c

C:\Users\Admin\AppData\Local\Temp\MUQy.exe

MD5 16619dc1499e5865e772184e6fdf0037
SHA1 99e2a5390bf3db034d23084cc7d1f133f4320b12
SHA256 a3747507fe6096574f85fc43420d8b2966dbf6e9841c9861b1411a6f6347af2e
SHA512 8ee766f0a81d205d116c423ffe662890bc5b6f68ff75209aa46a5e44f60b91b826eb9b1b0edf5c170c17a43df64cdf6c12ab2621c97e1f03cdb8fde9669c0a45

memory/3036-961-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OEIS.exe

MD5 f764e7f97bbeae4bc372836e144a0074
SHA1 a4e930971d7c596168af2c4940122ad1731e6730
SHA256 2a7169ae1ccdc5b7183f4c9ab64096ad93d434ff9f7040b19e8da8049f4f8513
SHA512 06be95714f604b46011df634ab77c7b1bb7c3e0d15cf1f9dec2e23d47f0fb857a51608fe1716f0621adda4354b00dafcf0dbe0326854e49412dd49d77f1db371

C:\Users\Admin\AppData\Local\Temp\IUQS.exe

MD5 3655e6e08dc1f976484350369c6b5a4f
SHA1 5e0d6988fb90d1f71bde7b5dfda6c2e2e345471a
SHA256 0da22e207522119766c8f970e7602ff093386e606cde97df6130194ed688bb07
SHA512 fb59254deac928a0308a3fc0f363de73de9440832f0d156c5011eceae5dece40c74712af57858961686ea91018e683e6ad73673a2f853337410ab7e3f73217e4

C:\Users\Admin\AppData\Local\Temp\YYcc.exe

MD5 112f819e85e34b73d43e5dc557d4ac71
SHA1 0b3bc0554c723c0a6bf219115eee2dbbf30cb809
SHA256 bc596ca9a53754286e5c0714667ed62aa1f89c5b762794d225310e68317ffb92
SHA512 10c0e3f21c64e71206f9effb60c6e6a7b269251b84693053f526311f4d5a0fc03ed85b80f3c8e5bc4fe70a02e91b36555edf9d08de134b848f6815ee3c104069

C:\Users\Admin\AppData\Local\Temp\IYAk.exe

MD5 3b61bcdc44e1acd55520696a14bac0ae
SHA1 380cbcd98f92ce025b97d10a929ddbaeb6be6523
SHA256 fd3a2e46cf4a81b64ef6230d520df9507506840332ba8768a8b3fe843c98a7c5
SHA512 5de8806d0bb9fa7407431c095533ea009c6ff292ad163542af47eddaef5226e9e1c4b65caa7e83c61d2699785878a02863a1de8a08985cd8164b826a2134f064

memory/4136-1025-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1492-1026-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEcA.exe

MD5 ef8ee70714f39e0d0b310581f22029bc
SHA1 e5a04a8751e4eccd3f29a39619597d63e5e20322
SHA256 ba23eef79281aad3c637cf5c4eed3a227e9f230858ab36c55d673d5bb40d8048
SHA512 73ae767e2dab40a5418d3aa5d092e9dbfc46c19e3c7a1170a9346d6b88e33daf3f86ae9b3192287cc80cba0e3e488c4550979643d2aa0d99b4169093635a12c5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 9142d6af2d8b4d2068cb9942e1ac35f2
SHA1 6f3e6bbf8379141be4f64160a66b9ef13ec67b01
SHA256 6c0dcaf94b5483dae89b3d22a4cbc515c5af47f1b2a2dce46478a3cedb6fa43a
SHA512 2846a752f753b141016a943cefdfb4c69dc8389c897108195bc903c40cc1e4e6b3bb9d440e197628316c54206d7a1a7eb0e5610f26b9a67da64d0f74b35cd873

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 59d220dca2da3c1118ccffcfc6277bf8
SHA1 5a90ced226d2956a227273f407034e90d2f69141
SHA256 f4d8656310dd0efe2f8a40048f60c834f3037b5502e482ccd4c66684c34907db
SHA512 27ad5813729d5f71f9cb1a2368f49b33ef832fc5a76f1cba66b1b473dd15682889c6a7ab3a7f5ac416d6b52f85fb029f58ebec813b9d26b37f6fc39471f756a4

C:\Users\Admin\AppData\Local\Temp\EkES.exe

MD5 e168eaca0907af157d55c68d5f78a857
SHA1 96404b7a97caa9cbab0a75f546ff76d2a02800b5
SHA256 316f0b8e4264eef3a28b542ff37f1bc75de1b716dc6bc8db6bc54175f58b520a
SHA512 0759b21be89a80c0e5a9c332c3d8e5b0743de994ce26c09c14de943d7542cf78411203e2bfdf854a757d526b76b1be6ad17a4ae7796e754b655b1c42fd468699

memory/4136-1089-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4624-1090-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igwm.exe

MD5 8d20a8a0150ba588d7d589b9ffdb2570
SHA1 00942425aacc389895a2acfc83f97f1dae46fb27
SHA256 077addbd52584d06c2b6a7b8fc554e255f755c19041602aaaab0a6273a0495e5
SHA512 9d1e5570ada5f67bc7eef31a80d8fb1a0d81ca88b18debe615a7cf4ebdb4e01dc9473d021eb2b8bca6eef292aaaebab41ea1b66bac057c804b92634a4132835c

C:\Users\Admin\AppData\Local\Temp\ScIS.exe

MD5 3861b603d0d8c2a21306930c28eea267
SHA1 78d8dc7a8b800b02fad7905cee2a4882a8e695a5
SHA256 d228ad3437b314f009a1be366b6f49da0cdf656a3f2e8cc9047415eaff9cb527
SHA512 cd9e4a9fcc2a8cd9462ecca07a18ef430a34f481d3750a7dc78166fed0fbe9e3211849f77fa9e0fbefb7a74caa52fa5597977505bad98a1512349251229b08e3

C:\Users\Admin\AppData\Local\Temp\gEgi.exe

MD5 467c217ca4caec704f72d81eb4e211ee
SHA1 490fd0542b887c3e47cbfe8fe0e5ad9a782cf445
SHA256 dc66b8cdbdfaf3166e341f784b474e2defcdb5f98965f0ac01db72ab8229a693
SHA512 a6ba28843d339f746286e49875e558c5583cf4ce63b4c3e84b6d0d65590c14663e8dfd9fb90674d32b98134ddaf9065d623369c460522f65618bdd32541babb6

C:\Users\Admin\AppData\Local\Temp\gAoK.exe

MD5 0f7b69fc2c623ea51956417568c8a98d
SHA1 836d0031ec89baf8ba9165a2585b0e8a2b14d4ff
SHA256 04ed7ebcd73d766df7ebcb925aa33ec8122236030df3e6714f25bf432eeeeac3
SHA512 9fb1fd40fcdd1d002685d19ee019fe074de4c73fe4b335606cea0e3f91ca08a996c406308a6fd6cb4ea5e66f3958adfa77a2a6b4e70f7c2921f6b5efc32c65d2

memory/4624-1154-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogQI.exe

MD5 e08954a450f7d14a8475de85418d8659
SHA1 a3d90cddbe8df9dab34a23395e57c6835ceef93e
SHA256 9a884adab8b82f8102a8d219a8227b44222572a58ad50dcc26c60a2c2e95c6b3
SHA512 cd481f8f203e6b2ec366a0439d7dc9f03b25dae10937656e383d2ea97a6ad51be8c0f30b5e02417e6fd2cc06d1cef728acc801b32c2e1cb64a35122dcfa017b0

C:\Users\Admin\AppData\Local\Temp\ysYA.exe

MD5 d2093e9a941eaeb7bc56b61c75e47a8e
SHA1 43efffdb50a287c9d410353e583306d788093327
SHA256 b84433b326b7b77b93a2b70e999007df290edc1f99e252c36611d71546fdbd9f
SHA512 8d27a90afdb36eeaa93cd6eea6bf72eeb69db91df214777d4db7fcfd5110b779eac01cfb0c4c5e6ec13ae94068719f9e439c25d1e40466598e8ff1458ce9a1a0

C:\Users\Admin\AppData\Local\Temp\YkcG.exe

MD5 b8774486fd0dc5b96d804da99a100c38
SHA1 fca3593598402598249065e0cc3de51dede0b995
SHA256 7605e5ec8f1571c4442affba3037eb067293288901001ef555e179bd33760f52
SHA512 78797f0cd02a7209b7977dca2a09fd0808b12078077cfc2742f09d8ed8867048d4e016db6188a715640e442138b0ecd732773bc7b3289e3762bb4a94bf01bf73

memory/2280-1204-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2248-1205-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwEU.exe

MD5 64bf300fe065a5cb842fe51a5c3b1509
SHA1 70bb4ffec582bd062ee5855686ac7514e0656590
SHA256 45eae5594e277f6c7554075e9a14bccad0e2c59af4e943793a56d5907dd4cb2f
SHA512 8f1be699a3d94d74afecf22ca649f2c09cb14995c6979e47db1fa1c424de0cdfbd9cef61fbe0d9f95e3da80fc4e159448b99e352579ad4b69350a77449a3ce29

C:\Users\Admin\AppData\Local\Temp\AsQi.exe

MD5 cf6c9925edd33eb1ef649587133f1d7e
SHA1 ed2e150d6acc9f298c4598c5df40211b8d3bf943
SHA256 5669cbf671d6d5daa1ea81975f3468644d3ec297410fee01f7ee5ff689142fd6
SHA512 61a0544688ef4c69a3093f0d5e4b3d7b3978c89680b5eda85d9297777b92432410cca72432b467b5f7774bb4c8fb81c94f07fa67d2b414b0ab0fd340b20fa7e8

C:\Users\Admin\AppData\Local\Temp\IMAc.exe

MD5 da23b9c65bda425aea213605b317f99b
SHA1 86eb13ea048d3e88adaa8596b2a296e42de12c40
SHA256 b46968ed05563624466daf78ad0f8897a9361fce74cfbb8497d951c6eb0f97e3
SHA512 18664bcfc100fd3df31622e63243f24471efb3b710c98598244521b7b4d369f498addec5533042902a6331e719dd2edb27cc6c216223dd6e4afe04816be0bdd7

C:\Users\Admin\AppData\Local\Temp\UoAE.exe

MD5 3b1ab879f42f653c4f956afdd70b852e
SHA1 32d63a42d95f89768e9e78bdde15b8a25b893009
SHA256 56652890dde0840ea7a5ab768add8ccfb743da918e68f674484edcc62ca55961
SHA512 1ae2f566345bc58622afd2f6810b84682b201f794dd7afa3c077ad779c5ebbe11926f176206e54bec3f7ab6546472e6e92c2131c968f9b1a3d75eac24f242414

C:\Users\Admin\AppData\Local\Temp\OYoE.exe

MD5 1670bce9f2c475231bd39cc269315d12
SHA1 8f95d57588617e62861eacca44a2361127702bea
SHA256 269b5bf66d23e1c84eb4344c5d05b99fd634a7096808b4c6ae278c4e3193728e
SHA512 7e9ce4e25dab3c5b0d49d557a73ef75705d3df043b707d8683ff63034a73f78db76356bfb270085666c3a76f6528968d765e17860977d132bd15af48e9a8a5ef

memory/2248-1270-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wQsW.exe

MD5 af20ca4b39a3db004dc537db319def5e
SHA1 e35eaa0a49c2de46aad31db692cd8a224151d616
SHA256 d6f27ee72373897f3feec5e09396d0e126d02c96d2856191e8d0d58b4628d0ac
SHA512 572f6701d01d12a9edda0fc0952987e222f2055eb5dfb232b9d4c4fc630ae4e9dc858384ee54a38a541038d8093dce786942d6d3f93ecaab9f1b3bef9a19aa80

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 2a8f58eddb7241af6357bee6b9e732eb
SHA1 c0968ededbe5d4e519dcbd4d4cd411f0538c928b
SHA256 448d1eb32f444148a9a4e6e3e5e263aad026f4f55941146a09fdb105733ed4a5
SHA512 4e6a3293cb994c51643e92595977a5ad32afcfad65e176ecd9f942e9d158d8a33a5f2d133ceecb4f7f8c915bf0cf40b4c93c9b36c468abbc42f2f732d498de9d

C:\Users\Admin\AppData\Local\Temp\WUsS.exe

MD5 dcdc380060597cfefa56a726e413eb0f
SHA1 6b06f35d195bddafb421724dde299c5d5eb6ddea
SHA256 24b6b452589897ef3870c956d92ef2c5af66ec8f30203c0411a5ece8781d10f1
SHA512 0cf54dabcdbdbfe35f594f88b47469fb443b8bceeaac01cb01fd57ff57acb69d531ff45969f94c30eceee60e38b2096228c88b6ef6990983564e0ba46f196636

memory/1052-1330-0x0000000000400000-0x000000000041F000-memory.dmp

memory/208-1334-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcsc.exe

MD5 978d2ce8af5ec9f11b9df0de63edfd3d
SHA1 c20633f3ffec4dc19e518f6983b6420d5b2d87ca
SHA256 b1102265fd58f690b6e8758bd07470fcb265f259d560954f147bc7dfb3c7a897
SHA512 60e221fad17ecc0da9b633454faf10142db333da3adcc6ee1477ed06f2884e4ee3d62ae792b71ec2fa9ea862ac3a8b20a9998fa0d4bb20f53f310d0c1189d1d1

C:\Users\Admin\AppData\Local\Temp\yMwu.exe

MD5 07c0fcdb96ae3c1de2a3761268612e6d
SHA1 c7c807c8372bf2b219f0249a24371102b03d1c83
SHA256 1f02829bc4987c66ed6ddbf1a75ac6007a156e01d5df6609960967814d22a730
SHA512 157b98f27cfe0b75d8135c9abd236160744cddb1213ba5400255da448052447748b3d569b5cdf9a9bf8db3a6ed85d2c16caf7450618a15d579f86e1337886778

C:\Users\Admin\AppData\Local\Temp\eIka.exe

MD5 35aa116d9027aef6de0c30207c8ea0fd
SHA1 09b70fd259d48932536891517e8e832f952cbc27
SHA256 86edee77f760aa534f326563d5c68b1bad7b28476b54dbe071f1843e98d9907b
SHA512 5da5b6700765e69519ef820f13f4a0ccdeea9c333f1da1b518c5c03c82f5873d09fbecbc527377894088f6685ac6477e209240980d83fd6ff32436b3a4c2ef28

memory/1052-1384-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMIW.exe

MD5 38753c0b70d2bfd44b09e603d048ea23
SHA1 ec97e5c196bef1b8b45c21a4d21750e360104498
SHA256 6856bd8d66a0b2d6af5f7699130f4be9ed57602040cab3b7b26ef2c4ae317b57
SHA512 a5096d7ab2395e36936740cc37d22c03ec917ea6724e6245a9b53d2ea637173ef196dca23c5cb32da6c67d3a30f8dec222a10486ba3220ce07b5d401e73f2db4

memory/1680-1399-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osYU.exe

MD5 2878d444d4432846726cc77ae702eaf6
SHA1 19512c013b26415b9e6ad884680e7c28a6e2f2b1
SHA256 9c99a35e4308d3d3be73e64f66a3bcb9843750db169f1419d60aa19625fdbeac
SHA512 73150448e713ca5f2a5faf81a86a1679ae668f60af1b0657ac09515c528a8272fc3f55fe27813b0a1cfed7eae7330206296247372d3c44a34a26c03a9981d876

C:\Users\Admin\AppData\Local\Temp\oscy.exe

MD5 7b5fae7a7b6dbebd4aeebac6ecaf15cb
SHA1 481cd608ccb251fc7eafde407566d0d68a4cd30a
SHA256 d9bcae17eb5db104b4d3088b56faead9650b4518fdcb1e4fd1af75b0be4842cc
SHA512 812b73ba6b56f5653d393888a2f6feb9fc967598f31dd744e6166332c54cd955985a0c7c26768105fe9f01e37e24b4add90a5cc6dd02f80f6c3e71195b683729

C:\Users\Admin\AppData\Local\Temp\kYwA.exe

MD5 e5c3c8df7728d62a9b83ae367e34f3c2
SHA1 0e612ff8281652ff17c9e670eab4b86ecc51c3d3
SHA256 7bb6b266e7102f3fc30e015e005a2a5d69aa81a4952761058f1d9de6661f9504
SHA512 c667cb1ed71e6eb641fe875da28c0a371a3cb849124f3e91025f46b3c6b70540a01d6573a907935c26c9b27b5d51c865dfd9cb8c9216be87fa601ad260f47425

C:\Users\Admin\AppData\Local\Temp\oAIY.exe

MD5 165e693a3c841c4c0d04caed5ff31997
SHA1 c0b2a8bca96f08f93fd083f00d3fcdf8294b032f
SHA256 7cab62bfdb8c3684d3fc51ad0d8b7045d8c705feee983bb5f150be59b28ea073
SHA512 f51d6e7309f04e1404889bf005ca00e0f4896e4619ee090a2610c8859816a42179da148826fec18c63e0c64446a66eb41b41d4a7662b73ee332d1a53ca8586a8

memory/1680-1475-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QcYE.exe

MD5 93511013857f5d59c10570844dcb8e15
SHA1 47f2093d17d81d47ea7564f46c4b3efdf629b89d
SHA256 d4dc5e156a86bf3c5ae165dad8e69a547c355ffc5f172e37e7b96112712a9c39
SHA512 f932760258b5ce4ad8013efe1135f204a6ed4934697b360df293757d14e208f1b01e65f418b088fb8a2738717741c3a71f68fee08c65db892bc061fdf0de21f2

memory/2152-1476-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uEIq.exe

MD5 349bbac6d1276259f717eeef3c98b626
SHA1 c6fe4bbc3ba060482f2696ea4f0cd65c5aa7a608
SHA256 4cd7dcae16cb0444e41bc76aeab487aceb75058fffb7cc214f2c4b4b027f5778
SHA512 377fb1632feb3a43d2645f474d965dfac2ca6f6dd2ae884a09e861ca04856ae52ec01e01832053f881bbf7ed30aa3b82e6ed0813cb502207b5ac1de3bd526297

C:\Users\Admin\AppData\Local\Temp\eEEY.exe

MD5 13261339985f25a9a66a81eafd86ce87
SHA1 6ccfd43f0db12d55aad2db181f1910a4f5e0e319
SHA256 d8cad7b6d6050d69aa2781b72d97e35e9e44b094f5d9e2a5d99d95c6c2913b0b
SHA512 b2e43d59e5d29aad17a4b74649b2a50f007d9799dff6653e3450192b1ddaf7782f5e59ff2ad36d2b7eed0d734b2b54ba4935f4d32ad5a9753a6d486475aedf8a

C:\Users\Admin\AppData\Local\Temp\WkIw.exe

MD5 62b1cb4ca756ba7ec3bf7ac9c7fe6672
SHA1 15c86c46e395ad95c97cf5dd9ddcf9bdd161e2ef
SHA256 d5bcf0551c96a3be5dce733510f996fcb4aee6d1ee5d585ec3d782a6c8af6ee6
SHA512 c307185965d10e77a6a50812d0a81ef269e2fbe4b1a2b356f08b9ebd7ecbd5ecb41bcc086634d9f7d9383a7f277cbad44e136ad0b65d66425841123d3828e92a

C:\Users\Admin\AppData\Local\Temp\YgMw.exe

MD5 f47a9a0ed830d95666e110a60ef6b5e9
SHA1 f5b3ce2af7d2c77e78d4d7b8f276706b374f0337
SHA256 9928411b1acdf2e3ee467bd1707227f60c24d8e18504d0ca282b4f765ccbe9bf
SHA512 f1876c11a6ba5ddc535881a3f8649064da48f20f43b4662bbaf66f32a7f175f001473caa1211301e36d2071d5b197fe80c13481e1b1aa26352bdb13239fad376

C:\Users\Admin\AppData\Local\Temp\WUkM.exe

MD5 39e65462becf3ca6f41e567845c8b9be
SHA1 17dce39dca499fb9a49222587dc47bba9a3809e2
SHA256 0e2f1b8f1e51bf17e4ea52df05717b1dccbfb096038f149a1a9fcad85be742bb
SHA512 9825b5342ce45685f22c1c42591862568246fd052fcd6751f77dfb5ba0d0d7169bda5d716bc897fa4b0e156a5ba9ad9c53753d63f0a01551ffce01237f47d092

memory/2152-1567-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEsW.exe

MD5 824553c405ac4d8e23e4b68b84c0a029
SHA1 14e2dbd700891676b3ed2c320f4ef49f19d9bf72
SHA256 1995164fcc346ebcf5e0545186b0af5ad2abf7ab561f80e80f2653b9fe60fa98
SHA512 2f2d8b87588f7a2d5908fc466364df8e5473aab962ef8f2af1659685141a7e0f359be8a01641d7035e0f0384b9086b8767c2065d3d314e98b53c90c864ec8bea

C:\Users\Admin\AppData\Local\Temp\IwUu.exe

MD5 c59532a4eda6a5bed4c9abbe8ba24329
SHA1 9a874588e206a101a6c1ee4d8abbf7e3c4fc731d
SHA256 56f99c0f952663a28a6e48c5e5403ea3da8c211fb8e2d1b4af0a6e3fe5608435
SHA512 33c2a22cf618eac50c033bdfa85a021b70b1b61187bb37d15c4c4b51edcb5df15e7696a8c624b16db6dcfaa83385b9320e2e3b0e0261bbf001ee173070530002

C:\Users\Admin\AppData\Local\Temp\qsQK.exe

MD5 2ce09fceb255e7d289e93c956bea8101
SHA1 b3a5544f280c114dc40dcbb00a81c1092b053370
SHA256 10870149cfd821d21842982e70788385c67398e021727b84fc2ac30367039b8c
SHA512 9f23f44f53d5c85d1dcb543443f0b96c52f1900f35934e4c8025948797bafca4fbba0298bd9ea0e985b856c2a8787d4d6ff0feb5caa347de9aa5fd75de9c30f4

C:\Users\Admin\AppData\Local\Temp\WcIW.exe

MD5 50ab5a63cee905f0ed6b26efaf93d944
SHA1 ee337dd332338aa08b8da5a69f09a87a7803cd31
SHA256 4f6d45b52a6a92dbf0ed1ae349d7bc38efb21837a1004f8983edbfb0c6257cc6
SHA512 5d9b5b491bb234a1d8d1201951465ff75476c3589b5f2fa11fc8560c4ab57a4adb317eb145bc71944b2a44f1c888236a81f32f367bb01eb40be9265021e55d8e

memory/2008-1617-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UAwg.exe

MD5 cf5f15cfa074c704b52d7c695adf0247
SHA1 e1cc3184bdef0b07a656f95862667c7a8146e17e
SHA256 bcb7bbd6789f2586fdeda27eb6662d101dc847fbc96687bc4ae26e1a9c7f0f85
SHA512 c69f2dfa4503c1aeb340ced9909a1969eefb46a30e877e0f130f0771f1bc1fa5a5bb222396e600366cf703d97c881072e46c69fb473c25b2210fcc74c1f6949f

C:\Users\Admin\AppData\Local\Temp\oskQ.exe

MD5 890b57c1540e9c3ba045cf2eea95095b
SHA1 fc1414a2de6219ea93941152e95d6c0cc5f44a86
SHA256 eef601ba04e48eb2ca1ca5803912b04447c32b72232d2250910d496e57c86417
SHA512 5b8b3fa58625d0f4d58a0a220a81e3b09e9b7b8ee70a177c550e8e2e7f2adf78cb35af09d04018fa87e2e511b1b5c0d1b1746cd460f9b521228435e1cfc64816

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe

MD5 747dd77816066f8dac78ee8ef7480467
SHA1 45dac6972c2a70bbc2d865d51897c96b9f923adc
SHA256 ea18003bc64873498804474afb80e2ab8d0707b94d45d2aa0eb821be3808bebd
SHA512 9f73a4434e49d33104d2ff984e5cb17fd8f5d4ee8d74889e4574be37df11e62f9d5b74822602a2a0c0fdff28774ad0bc2950bf8a1d7c0edbec11f7d958cad653

C:\Users\Admin\AppData\Local\Temp\OQgY.exe

MD5 214b03bf1bb04827790a8c5b3926b7e0
SHA1 6f955d9bc11932d676679c3ec3a7caed6e300e06
SHA256 ddcd1fe36a7b1602683f9140799996a4c2f6bf77a577a6c5a0e09f4aa4d78ac8
SHA512 69bf938bd5c368e0237fc5e326e77f78c553d01bec771b532deeef4a32c26a69d9cbf51e4883f52d29f7788bd20ef6459c44700720f367113be90435a3718fbc

memory/4208-1682-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugEI.exe

MD5 a98ed593e6cb1cc4563ad9920c1e4c36
SHA1 37f7cdeec57185c5034a7dc2f61af3f359c7e64b
SHA256 23f9f316357a1c275b6999e1ab316594f3f995f80939b20b67b2345177deab6f
SHA512 27796924012ec23c3c3869efa7096a1f19f0a3144aa95103006aec32299492b9b890b0deb879d3dd51949fdb7338908c1b8585d2a18c39349e77ceac24e042b6

C:\Users\Admin\AppData\Local\Temp\uMgk.exe

MD5 38fb57e1dcc23aebf4c4a69d17e04844
SHA1 74f74cf56fb65dd97dd5c2eddd3b8e445d937c5a
SHA256 e39170c3b35267fc970443bf3009c2042835b44c81da1afbcb1df24aa82d4aff
SHA512 ffa788b07cb6aa23214115c2cf5de5459b0dfd640dc137c6ec7761e6edd1d9531b719eec95dc1e9a25c5eacf2f5eab271fd1e87ff564246190d1ddf85a59f911

C:\Users\Admin\AppData\Local\Temp\kksi.exe

MD5 c8154b923970e5755a4b0cead4efffaf
SHA1 e4cdc6b393381fed6287a889bbbbb1c71d7eb48d
SHA256 5c28858f3b779e7302adc4113c9156b9521bb53111f1676cbab284957714587c
SHA512 fcf22047fc9196ba2b92c3cec1311bfb8b9f687ef5bfc3d7413655eff725ca7a86777f593db682ecf3dab85b5fbdf6027df8c1583d82b2770b46b1bb855e48fa

C:\Users\Admin\AppData\Local\Temp\mMoo.exe

MD5 985d38cb7ab514658541bdeaef0f23ac
SHA1 11a5e169353185b8b37dbcdc1dd74304c52b3a87
SHA256 68be4ad51239cd034035a36a7bb8c01fc148f68449a2b32315bc57270de17339
SHA512 f9bb9d41782887fcaf0d94508e5eb5c37272358f994866bb31fd3e74d8b06f54fc1d9c075fb87622c5facae351d3c7833c095ca3b6a414b013ddc2919e8ef13e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 e4f9d5e485e9d6de8594f022ab8e5018
SHA1 da964fdced7355c4b294912bd771402f6ec7ef08
SHA256 54333729401d5e59dd875eb48f5c556ac69e3d7f9a60dedf4b9061830dde83e6
SHA512 ba22517931a156267fd54bf916a82a142e2e4fecbdeddd85f63f561c9a48d981b4bf88c6a07156f2be5605032ab99f33b84f8cb51c01dbd00412760eab7eb031

C:\Users\Admin\AppData\Local\Temp\CogQ.exe

MD5 4f1050327b73caf2f64f55df2c3d572f
SHA1 56fba236b7aa7b75ca05cf2518a4f0a6a1ee7f28
SHA256 2e04f0afa8f9340edddff4739b3a8d6dc3446151dfb433adc15bf2b6513ff8cf
SHA512 d7aea11e2da8ad71be46ffcb2203f51f742ae44444b55b263114a7b8b45379cd1b08a0dd2ad7092a4e820100db21e495d26d1c3655d589e2df27ae4c8a74a670

memory/2632-1787-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UUwm.exe

MD5 2dab6b74862ca16b906ad95ea86949e3
SHA1 351967a031d7ee13711a79a0dc9d269f275ca2c6
SHA256 11b4b5b1b0bcbe9e3b853547cc1c95858f9a34809d65bc0da6fad1054316420b
SHA512 dc5cd6f53c86e48e6c3c0134d2a553c8d58cc3077a5ffbe5977e467688ff833a901e92e5992c13b12604f962d5746518ba556ceb034dc912e3934036c54900d1

C:\Users\Admin\AppData\Local\Temp\ckou.exe

MD5 d665bf7cb202b7428f65faaa066f4fbd
SHA1 faba5ee0fe1d3dfd5028b9761f66730a38f9f5e3
SHA256 67672d39a402cb8ab0edb1ddd0a43b8ced5bc86bae29990bcb8e77899c407fec
SHA512 e56647444d9449491a85b6a9de2b47142f254e0b4df6bc18f5fde29c3dae7a8dfc3e6999fae6e5cbb0976c13a8d6b2ebcf495ad320276813f35c8a0098be8ec3

memory/3920-1798-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wskg.exe

MD5 29ed3f24c768d255b833df314b446e02
SHA1 40b3b3187dff3b5cf39fea0fc12dd06bf190b552
SHA256 fe0c615cf997013ca5b417ec094b90ef920548ef912968e30b3547d4899a6b08
SHA512 93e961c3b77d3923bcfb196d4fe74098f878b0bfd6863c102fa7c46217811b30d29203e740dac3bfc930ded5a39a9a41d5f8c9c8361bb607f0bd7ec1b5559fc1

C:\Users\Admin\AppData\Roaming\SuspendResize.jpg.exe

MD5 f65491919d7a1635a46cbb79e45b8dcd
SHA1 0198e98ded1ddecf4742e8e2dc4355b25146f69f
SHA256 69efe43d9976e6436ce1aacdb126abca0f3b64e66aec03ff4d921faee211e9ec
SHA512 4e2a700c1836837d89765330d831d6237a388823d03d3516e602731af39e1dc9fd2f2442a5516069d4d88598696096f60311c0d0a67bf61108c6aa3c595586e0

memory/4136-1836-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3920-1853-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gwsc.exe

MD5 6e070a71a0c5fa3754d4a45f8a15b331
SHA1 0f5819678d8b7c3900951e9d0bfb85780c601e1c
SHA256 9ab15c6e7354a19cf0ad13ae19c34a09fea15643e2477689a777132b912ddc50
SHA512 f777f6b0098e7f0ee9839a909f86a7407c3fd8dedeab4ef30f98295351f4aa2f8db6ab3e7aab0f7259990142ec4308d0ec6c58b8430e909f410ecb7fe117350b

C:\Users\Admin\AppData\Local\Temp\sksa.exe

MD5 008d0eb767729bad12439e94ce04e7ab
SHA1 c027c6113b257bd891c6b53b747f8b50b1a6b684
SHA256 87ec617db1e4d890650189c6523d70fcd7b00b0714b3195b6631abcf7516e4b7
SHA512 8832035962cc5460cf1eb21da6adb4aafc1fa5ab28f9a1b6a29c31abb4a07cf0b92e59b7f1cedbc4dbb38ef41fdde400ea6a06608159b1ef6e7152074d1753c8

C:\Users\Admin\AppData\Local\Temp\qUwc.exe

MD5 5db48ad00b194bb66c30341b82fe5cb5
SHA1 b5717cc9a2c3b3e8293dd20bca3b43760f57a1d6
SHA256 4c25f15bdb7ce4630dec3d0d1ddaff3a8a2066285c798dcb4bcf507eca7dc576
SHA512 2182cc86bfeb33c47188069a0427116365da5f4df96e13831c24d68cf78004208be3e303af9d848da98f4321585c5c246b9c7b01910aa5cddfdbb4717a9c0d8d

memory/4136-1889-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yooK.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\mcgs.exe

MD5 4a4759576f2bb9ad37e289bd50b78de7
SHA1 25b6eb956578c5c5548bfac1f37d3220d9d416e9
SHA256 69d93678007574f9da64ddd48e436d1453eac49f6387abb1bbb582587b2512be
SHA512 dd1940f96ba0fc140198c2b4cd3e852921e25ca2e191373ae338e75c8d462cb4aebdc1f82c05ce7a986e7ef3cc6c093beb21748599b49bfaa12f3c7171fd21a4

C:\Windows\SysWOW64\shell32.dll.exe

MD5 4e69bc0992add4d9cf4bb3cb3215f98e
SHA1 756d91202c77e3c86a08f56debed0d92eb672675
SHA256 73debd13f456a0590f9ce9583b14ad68f0904534ef80c12d07220a7e550d8ab4
SHA512 b7e15c0c2b3d529d8a0f507da3492e67cac35b0aec01f08f4167140208d728a3c64a89f080fcf87b5bc2e4c233a74ddd0e02a4465630d0a6d63b29fc3468d440

C:\Users\Admin\AppData\Local\Temp\eQoK.exe

MD5 2b96640ac3e023e5cd45e664c33cfb26
SHA1 3fb441a6918b254b553b372eff1d81815258b93a
SHA256 f4bfe155abd53912243be8779db5593b0ccb975b4a74af50ae01b8e8808295df
SHA512 4c59e91969fa411bd789cf28f453641c32962e689920524dfae6df96144f4ebd96e73741ec63d3471731ee0b642ac8d1300d3f7a56349ec132088b02fb6525bc

C:\Users\Admin\AppData\Local\Temp\OwYQ.exe

MD5 10a000a7bd4d8f154689f02a5a332b6f
SHA1 8e9d39e32235cd2936cc3ade981f82b935298f5b
SHA256 7eb54b65c1a5720a74905f605c45ce63b468753cec40f9e4e72419a14d968c2e
SHA512 55fbc21d403b4b17670e48901d97ee901bb8e6e82ad62c25d80741e167641234cd2ff3c8355840c931812e30fd7f4ed4bd682cba94e24577c5c9c592110f4d92

C:\Users\Admin\AppData\Local\Temp\MgAQ.exe

MD5 ce982c74423decc9080fae51f2592f17
SHA1 9bfb071aea2cef4ca3808bf9c885420b2545ec53
SHA256 d3b5cb7cdd0af4fa17c1826e86a647a1aed253e2aa55990be7763ff536378f4d
SHA512 26fd1f75b1df40ec0a6c7af828b63f228917c48fd5a1fe1c0940de9e38952c2acf5ea0fea415e649d6893032af8de4f5219cc267b4c7cb9dd79940754e657509

C:\Users\Admin\AppData\Local\Temp\KwMU.exe

MD5 85e98831588ee9ad50c08d25df3445df
SHA1 820782bc1d6cd7085217f4c7b165ad0b48b60bd8
SHA256 174f7642bb5386ebd29db6eebbea5c1f484c3086d2ae03d7244596c23271811d
SHA512 7206252cd0c622d7dc62d09b1023a18113609d0424930c1cee9d73472ee2008cdbcaa8b7b039ffe72a1d74afa2fcca6f6e7c575723a03cd11f808918dbcc7798

C:\Users\Admin\AppData\Local\Temp\sgoW.exe

MD5 b1a7f9d1f787f9061705d9228d6c00e3
SHA1 ba6f64c7080499c7cb5c64890e80a95e5b0b4394
SHA256 19de4d162adddff9134f79ced810ff5cb6f1821bf0db2c60607c72eb34655a1e
SHA512 11b702c89946ffd77a39d49f92ef5f96db9a63039e2c3a8aceac806e55905473f0621157f6f04f2ce1a1cc8b2878acee734f1f03620e4cf0d766d8cd0a585d41

C:\Users\Admin\AppData\Local\Temp\AcMW.exe

MD5 3fe9db341e63834976c2fbe73b5b2e96
SHA1 4ea7290fe9cf514bc1b9bd9f4556e39c4c059a83
SHA256 8c56342362568aea9df1794bddb86b5163d542d3e99d703a3a7a31219008a51b
SHA512 baa976389c15091862d6fee1c010fc59ea16421f7c7bef86d41eafae73a925b8cc7b466ba480578b4abe8f305a61ea79b6c867810e2d223fe10d5281d37c042d

C:\Users\Admin\AppData\Local\Temp\SYgG.exe

MD5 cefd85a1de12f79a3431b89ca6cfb77d
SHA1 f2ad86666f0e45afa93950cd1238827c9fb41de4
SHA256 162642e076fdb6f8d7d01d2d25613a5031adb109218703cf2146df676ad113a3
SHA512 609fbe3ab2ff56dbac8b42d9801adb562127e6336e860f85d960d39f48c037d107ece8186ecae0f11e383816cacc964ca9a854a7c172057b164b699427376fae

C:\Users\Admin\AppData\Local\Temp\qkwm.exe

MD5 20a9f96b21cf2efcd6547d1716f7320c
SHA1 82ed430958dab678b50cd7d33ec99262b8add69e
SHA256 23068d2666233eac0e898ef26f0c40d5a15a75db8f2ced90371f7766d464e457
SHA512 d4d664122da84bc485aff356471f0eebd0004a67af51f663bc24d941fce59da3ce6d9561ffbae03430ae2b57b2c1f79ec61dbdf81428bc98e9fb789b3876085c

C:\Users\Admin\AppData\Local\Temp\UQAi.exe

MD5 0ad0307d92977df7be7a8b5cb1944f5c
SHA1 ed76ca37f2768222c40386be4384e62ca40d6cb0
SHA256 a5de6543c8ca4fe44c3e1904e7988699a9d34635bb6bfd23014fc5cda8f9c300
SHA512 788be86fb80b147eae9b6c6e2c99e98d181f5a0e23c06f619d38d0e1db0d0931f4fa08734f0bed5600c47cb75e59d947e69bffd7c24b1311b4582b352ceb4943

C:\Users\Admin\AppData\Local\Temp\MsMq.exe

MD5 60b0a91dd5e5a0084a109a2d3ca81dba
SHA1 fde6e8ea064528dceda77a0c068ec7f6f2a7f04c
SHA256 ce5e6844a8cb26fa4ece373df7366db1aced1521dab6ee191bf7f910cea50432
SHA512 28a204cf79c0a3083c3845178d81464c3c4c656e0f3d361120baaddb9314533588f135a6e53cbaafb49e23fd7844360e448bb711515933b8f8624ac1ed9c2c8f

C:\Users\Admin\AppData\Local\Temp\gskg.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\yYUw.exe

MD5 0bde7ccb2df144e014b67930c81130b1
SHA1 3a2b70a3c0d0abd1776932747366777022de0d17
SHA256 6e0ece2efe998675d253870f79efc00339b979a63d0bee8490567572ac485172
SHA512 e2fe44179e776ff26b4d6335a8e0cdf9256ee4d54020a1a37ffb1a544a0cc5ea6f7727cab38527a449e184e0f8c324d7d22726b666b0951dbab9e2543dc70a4d

C:\Users\Admin\AppData\Local\Temp\QEgU.exe

MD5 101b5a1aa2d98bd7ce28ff1a12d4000b
SHA1 6b91bd2c7cc23c27576d909c6a07c1362d2562e8
SHA256 6d35a55a864d2c28af879b812ed3771527fff41b7421ca669847a5fda726e7da
SHA512 52b09eb428e257d3d22fee801073c70974fe484dfb6aa747edfc83de6455b7c9519a20f8b739c840cffabd637b5b00f5d0b2723009e2556aa97142669422a891

C:\Users\Admin\AppData\Local\Temp\MMsE.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\qogY.exe

MD5 d892845a94031a52b9c613b249a258fb
SHA1 242cb06e5ad4c11d0a48361fa973063e1d085dcf
SHA256 576397c5b6a6f63941d9aa75505d19582b0ca03aa1af0b66eb80791bc4ec68d1
SHA512 bc0d2bcf75c6f6ac8bb8b25b2d0cf00bc1853144eaf01476554dc689bcd74c2106e2d9e34b71735acee42482d421c3706fe6f696fad6fa314a9616eee9d65c4c

C:\Users\Admin\AppData\Local\Temp\ckEW.exe

MD5 ef666cd9fdf403e609a7a0b4ae9222f2
SHA1 efc9d345a3b6242b959d378a6dd6ee92a38ef39d
SHA256 8964bda233a2e2aa92b9f9f5e351593806b25d1bfcb691758c777c633d2b54a6
SHA512 f1f40aebd58c24ac3a6589fdfa8fd3d30d9542be1ee91072e764d42878cef5848cf9d881fa6e384c6a653f319f23e3e16c83c4b6df878ad2642d3dcc93953bb4

C:\Users\Admin\AppData\Local\Temp\uYck.exe

MD5 c55be5ab88947fa2f4824de6fd4aeda1
SHA1 6b7c07958a213f73650bda8d39ed500e32ed6cb4
SHA256 7316f3ba45d243de80d5dee11bcb8ee827aa7a16fdba9b7ecda2b69daa9ebaa2
SHA512 7b23b425613a953aa4824232f1fc38ec14fb0e4097ba8e3dd33096b3f60115fe04219db559c58add0b0e5299f37616ca28162a00b4c2f53e06bcdf2c15a6511f

C:\Users\Admin\AppData\Local\Temp\uMIQ.exe

MD5 c4c1c54c7254b8d162120a984adc556a
SHA1 9c2861c6ae4ae6a561cde3fd7444a35e807be6b3
SHA256 bf8e51415307d021c73093d283afd1abb4172b4aa6c35caa796f2071512e7e77
SHA512 83a762d037d8cae498403ee45cda1ea4cdb1184e3b3ec7f795622bef703d60c1da10a4cfc6c0012a200f6d6cb41369ff2d869a4c7a5325defa4fb19f12d17a06

C:\Users\Admin\AppData\Local\Temp\ukgG.exe

MD5 67d2a542b66cb769c5e60407c5179c09
SHA1 75e1611fb4cb7cb4f56aa35984ebd0f20ce60b5b
SHA256 7bc2746a2c57fc6c4f4357739041118ea6551e674509f533821d8373dfde8817
SHA512 795c6f872d4e4813da79a6ab3b4099d63b9f110cb0215a32e9651ee871eecbbef21e69cf43fa8357af432c964f26dd31291db9d6d524e77f6d8379e6bd8ee24b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f78f8e4c049e4c03cb5b3d49ce62dfe2
SHA1 f6bb8b50b4230f9ca8041164edf4671bf27ae680
SHA256 aa2789525e9cf94305ea8dcd731a873d27969e5c5d493dacc42fe244d61b43ed
SHA512 957911d9fd9e02a3fc39f340aade4b275112c56913c541f59602a0c05d825f4b30be6101f41167678e4dd81639deb2e5293be38e38c96dc73b76ec5fc544599f

C:\Users\Admin\AppData\Local\Temp\WgMw.exe

MD5 19e6558cf691149e519a9d67103ae2ea
SHA1 ea5cf9cee871cfeeea6b8ca258e66d48c491d5da
SHA256 4d6a45d21bd61f46819b2da887f5d699bab7d6e5a4f327357fa89ba1a7755655
SHA512 fc958ad7572336e78d42a6bc78bb18ce7abfb15cf9dc41f96a5b2cd096622f26503b108e4c3c4dcbbf958e6e595a9adf3c8c1c0d004503222380a43b58af972b